https://github.com/osquery/osquery logo
Title
p

Pete

11/03/2020, 6:15 PM
@seph not that I'm aware of? I'm using the launcher from the git, and outside of the enroll secret and tls cert my only option is --osquery_flag logger_plugin=filesystem,windows_event_log
s

seph

11/03/2020, 6:46 PM
--osquery_flag logger_plugin=filesystem
tells osquery to write to the filesystem, it’s using the default path —
\Program Files\osquery\log\osqueryd.results.log
that directory doesn’t exists, so it’s an error
The usual; way people run osquery with a TLS server is without filesystem logs.
Log to the TLS server, and aggregate from there.
You could log to local disk, and do something else. But you need to glue it all together
p

Pete

11/03/2020, 6:48 PM
Ahh, filesystem option, I wondered if that was the case. Thanks for that info, it's been killing me.
The issue I've been running into is I can define the log location (figured that out, logger_path) but the launcher doesn't have perms to create files there
if I give ownership of a folder to the installer directly, it'll create the files, but not until then
s

sundsta

11/03/2020, 6:52 PM
You would typically set up the permissions as a part of the MSI installer flow.
p

Pete

11/03/2020, 6:55 PM
it's the osquery service that stops it though, not the msi
it fails to create the file, and stops everything
Thanks for all the info, I'm probably wrong about a bunch of stuff I think I know at this point.
s

seph

11/03/2020, 6:57 PM
The launcher MSI installs a launcher service. There should be no osquery service here.
How do you intend to collect logs? Are you going to keep them local, or pull them over to your TLS server?
p

Pete

11/03/2020, 6:57 PM
I'm bad with words.
I mean that it fails when it tries to run the service and make "osqueryd.results.log", but that happens after the installer finishes.
s

seph

11/03/2020, 6:58 PM
Ah. Happens sometimes. The osquery MSI installs an osquery service, so the detail matters
But yes, the launcher MSI does not do anything to help local file creation, since it’s build with the assumption that logs will end up going to the TLS server.
p

Pete

11/03/2020, 6:59 PM
Yeah I'm probably completely misunderstanding how the logs work.
s

seph

11/03/2020, 7:00 PM
osquery runs queries. The results of those queries are logged. They may be logged to different places. Generally, if one is running a TLS server, that server handles distributing configuration and collecting logs.
p

Pete

11/03/2020, 7:10 PM
I'm like a total newb. only option I'm changing besides the enroll secret, hostname, and tls cert is the logging plugin. It loads fine, hosts enroll, but then within about 5 minutes they go red/offline. Now I know that by setting the filesystem plugin, it's trying to create a file in that specific location (osquery folder).
The goal is to view event logs on the fleet page.
I would still like to see filesystem logs though too, so
thanks for all the help, I promise I'll get it at some point