Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
g
George
02/18/2021, 8:58 AMDuplicating from #windows
I'm using the kolide launcher for osquery and whenever I install the
package onto a Windows host, the application log gets spammed with Event
log 1,
caller=level.go:63 level=info caller=log.go:69 component=osquery level=stderr msg="...Looking into it further, I don't think this is an "issue" I think this is by design, am I able to direct these logs into a custom event log?
s
seph
02/18/2021, 2:12 PMThat message is truncated, so it’s hard to say what exactly it is.
But
component=osquery level=stderrIf you’re using powershell,
Get-EventLog -LogName Application -Source "launcher" -Newest 30 | select -ExpandProperty messageg
George
02/19/2021, 12:46 PMYes I truncated it as there are many different results, some examples:
caller=log.go:124 ts=2021-02-18T19:52:20.6552995Z caller=level.go:63 level=info caller=log.go:69 component=osquery level=stderr msg="I0218 19:52:20.655298 23212 distributed.cpp:121] Executing distributed query: kolide_label_query_17: SELECT name, build FROM os_version where build=17763" caller=distributed.cpp:121caller=log.go:124 ts=2021-02-18T20:52:16.9077409Z caller=level.go:63 level=info caller=log.go:69 component=osquery level=stderr msg="I0218 20:52:16.907529 23212 interfaces.cpp:102] Failed to retrieve network statistics for interface 14" caller=interfaces.cpp:102caller=log.go:124 ts=2021-02-18T19:52:10.5230024Z caller=level.go:63 level=info caller=log.go:69 component=osquery level=stderr msg="I0218 19:52:10.523001 23212 distributed.cpp:121] Executing distributed query: kolide_detail_query_uptime: select * from uptime limit 1" caller=distributed.cpp:121level=stderrs
seph
02/19/2021, 11:04 PMDo you have something running in debug or verbose mode?
g
George
02/22/2021, 9:42 AMNot that I am aware of. I'm pretty much using the defaults from the Kolide package builder exe
s
seph
02/22/2021, 2:04 PMDouble checking… Yeah, that is coming out osquery’s INFO log. Which I think launcher propagates to windows events. That feels noisy, but I’m not sure what the correct feeling way to suppress it is?
g
George
02/22/2021, 3:48 PMA direct install of osquery comes packaged with a manifest file that allows event logs to be written to
Applications and Services Logs/Facebook/osquerys
seph
02/22/2021, 4:27 PMLauncher does not, at present, log to the local filesystem. Instead it sends all logs to the windows events. Launcher does not expose a lot of knobs about log routing.
(On linux and macOS, launcher logs to stderr, which is collected and managed by systemd and launchd )