https://github.com/osquery/osquery logo
Powered by
#kolide
Title
g

George

02/18/2021, 8:58 AM
Duplicating from #windows I'm using the kolide launcher for osquery and whenever I install the package onto a Windows host, the application log gets spammed with Event log 1, 
caller=level.go:63 level=info caller=log.go:69 component=osquery level=stderr msg="...
messages, has anyone else seen this issue?
Looking into it further, I don't think this is an "issue" I think this is by design, am I able to direct these logs into a custom event log?
s

seph

02/18/2021, 2:12 PM
That message is truncated, so it’s hard to say what exactly it is.
But 
component=osquery level=stderr
indicates osquery is sending it to stderr.
If you’re using powershell, 
Get-EventLog -LogName Application -Source "launcher" -Newest 30 | select -ExpandProperty message
should give you the full error
g

George

02/19/2021, 12:46 PM
Yes I truncated it as there are many different results, some examples:
Copy code
caller=log.go:124 ts=2021-02-18T19:52:20.6552995Z caller=level.go:63 level=info caller=log.go:69 component=osquery level=stderr msg="I0218 19:52:20.655298 23212 distributed.cpp:121] Executing distributed query: kolide_label_query_17: SELECT name, build FROM os_version where build=17763" caller=distributed.cpp:121
Copy code
caller=log.go:124 ts=2021-02-18T20:52:16.9077409Z caller=level.go:63 level=info caller=log.go:69 component=osquery level=stderr msg="I0218 20:52:16.907529 23212 interfaces.cpp:102] Failed to retrieve network statistics for interface 14" caller=interfaces.cpp:102
Copy code
caller=log.go:124 ts=2021-02-18T19:52:10.5230024Z caller=level.go:63 level=info caller=log.go:69 component=osquery level=stderr msg="I0218 19:52:10.523001 23212 distributed.cpp:121] Executing distributed query: kolide_detail_query_uptime: select * from uptime limit 1" caller=distributed.cpp:121
level=stderr
is set for all results but as you can see from above, many of them aren't actual errors
s

seph

02/19/2021, 11:04 PM
Do you have something running in debug or verbose mode?
g

George

02/22/2021, 9:42 AM
Not that I am aware of. I'm pretty much using the defaults from the Kolide package builder exe
s

seph

02/22/2021, 2:04 PM
Double checking… Yeah, that is coming out osquery’s INFO log. Which I think launcher propagates to windows events. That feels noisy, but I’m not sure what the correct feeling way to suppress it is?
g

George

02/22/2021, 3:48 PM
A direct install of osquery comes packaged with a manifest file that allows event logs to be written to 
Applications and Services Logs/Facebook/osquery
. Even just to ability to send the logs to a different event view rather than polluting the application log would be a bonus. This also means we can apply a maximum log size.
s

seph

02/22/2021, 4:27 PM
Launcher does not, at present, log to the local filesystem. Instead it sends all logs to the windows events. Launcher does not expose a lot of knobs about log routing.
(On linux and macOS, launcher logs to stderr, which is collected and managed by systemd and launchd )
3 Views
Powered by