Duplicating from < C0FHNQ2N6|windows> I m using the kolide l osquery #kolide

Duplicating from <#C0FHNQ2N6|windows> I'm using th...

George

02/18/2021, 8:58 AM

Duplicating from #windows I'm using the kolide launcher for osquery and whenever I install the package onto a Windows host, the application log gets spammed with Event log 1,

caller=level.go:63 level=info caller=log.go:69 component=osquery level=stderr msg="...

messages, has anyone else seen this issue?

George

02/18/2021, 10:09 AM

Looking into it further, I don't think this is an "issue" I think this is by design, am I able to direct these logs into a custom event log?

seph

02/18/2021, 2:12 PM

That message is truncated, so it’s hard to say what exactly it is.

seph

02/18/2021, 2:13 PM

But

component=osquery level=stderr

indicates osquery is sending it to stderr.

seph

02/18/2021, 2:13 PM

If you’re using powershell,

Get-EventLog -LogName Application -Source "launcher" -Newest 30 | select -ExpandProperty message

should give you the full error

George

02/19/2021, 12:46 PM

Yes I truncated it as there are many different results, some examples:

Copy code

caller=log.go:124 ts=2021-02-18T19:52:20.6552995Z caller=level.go:63 level=info caller=log.go:69 component=osquery level=stderr msg="I0218 19:52:20.655298 23212 distributed.cpp:121] Executing distributed query: kolide_label_query_17: SELECT name, build FROM os_version where build=17763" caller=distributed.cpp:121

Copy code

caller=log.go:124 ts=2021-02-18T20:52:16.9077409Z caller=level.go:63 level=info caller=log.go:69 component=osquery level=stderr msg="I0218 20:52:16.907529 23212 interfaces.cpp:102] Failed to retrieve network statistics for interface 14" caller=interfaces.cpp:102

Copy code

caller=log.go:124 ts=2021-02-18T19:52:10.5230024Z caller=level.go:63 level=info caller=log.go:69 component=osquery level=stderr msg="I0218 19:52:10.523001 23212 distributed.cpp:121] Executing distributed query: kolide_detail_query_uptime: select * from uptime limit 1" caller=distributed.cpp:121

level=stderr

is set for all results but as you can see from above, many of them aren't actual errors

seph

02/19/2021, 11:04 PM

Do you have something running in debug or verbose mode?

George

02/22/2021, 9:42 AM

Not that I am aware of. I'm pretty much using the defaults from the Kolide package builder exe

seph

02/22/2021, 2:04 PM

Double checking… Yeah, that is coming out osquery’s INFO log. Which I think launcher propagates to windows events. That feels noisy, but I’m not sure what the correct feeling way to suppress it is?

George

02/22/2021, 3:48 PM

A direct install of osquery comes packaged with a manifest file that allows event logs to be written to

Applications and Services Logs/Facebook/osquery

. Even just to ability to send the logs to a different event view rather than polluting the application log would be a bonus. This also means we can apply a maximum log size.

seph

02/22/2021, 4:27 PM

Launcher does not, at present, log to the local filesystem. Instead it sends all logs to the windows events. Launcher does not expose a lot of knobs about log routing.

seph

02/22/2021, 4:28 PM

(On linux and macOS, launcher logs to stderr, which is collected and managed by systemd and launchd )

3 Views

Open in Slack

Previous Next