https://github.com/osquery/osquery logo
Powered by
#macos
Title
# macos
g

groob

01/23/2019, 4:41 PM
to see the schedule you need to query it from a scheduled query
j

jackjack

01/23/2019, 5:36 PM
sorry I might have missed your point here. Do you mean I need to write another search in the conf file to query what has been scheduled to run?
g

groob

01/23/2019, 5:37 PM
yes
you can only get the osqueryd schedule by querying it in the config and reading the logs
j

jackjack

01/23/2019, 5:38 PM
oh okay
g

groob

01/23/2019, 5:38 PM
the schedule lives in the db, and osqueryi never interacts with the db
j

jackjack

01/23/2019, 5:38 PM
any idea on why it's not writing to the result file?
g

groob

01/23/2019, 5:39 PM
try a simpler config file with a frequent query to debug
there could be a million reasons why but if you’re importing a big config it’s hard to tell
j

jackjack

01/23/2019, 5:40 PM
ok. Thank you. As always.:D
g

groob

01/23/2019, 5:40 PM
it could be something like you connecting to a TLS server which overrides the config order and points to a different logger
j

jackjack

01/23/2019, 5:40 PM
oh,....Fleet doesn't do that...does it?
g

groob

01/23/2019, 5:40 PM
it does
j

jackjack

01/23/2019, 5:40 PM
oh ;(
g

groob

01/23/2019, 5:41 PM
if you specified config_plugin=tls then your config file is useless
i you specified config_plugin=filesystem then your pack configs in fleet are useless
pick one
j

jackjack

01/23/2019, 5:42 PM
lol! It turns out we have both! great catch!
I don't need 
config_plugin=tls
for it to talk to fleet, right?
g

groob

01/23/2019, 5:42 PM
right, you can choose config_plugin=filesystem.
j

jackjack

01/23/2019, 5:43 PM
👍 thank you
g

groob

01/23/2019, 5:43 PM
but note that it means you can’t use the fleet packs screens anymore
you can still use fleet for live queries, provided you specified 
distributed_plugin=tls
in your conf file
labels will also continue to work that way
also note that fleet has it’s own config file format you can use to manage packs if you want to do it outside the UI
it’s an option, but there’s very little advantages that I know of to using config_plugin=filesystem if you’re committing to using fleet
j

jackjack

01/23/2019, 6:00 PM
True. Given that our tunnel is up and reliable 😄 meanwhile, I am just using filesystem to fill the gap, once our cloud routing is hardened
2 Views
Powered by