Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
p
Pete
11/03/2020, 6:15 PM@seph not that I'm aware of? I'm using the launcher from the git, and outside of the enroll secret and tls cert my only option is --osquery_flag logger_plugin=filesystem,windows_event_log
s
seph
11/03/2020, 6:46 PM--osquery_flag logger_plugin=filesystem\Program Files\osquery\log\osqueryd.results.logThe usual; way people run osquery with a TLS server is without filesystem logs.
Log to the TLS server, and aggregate from there.
You could log to local disk, and do something else. But you need to glue it all together
p
Pete
11/03/2020, 6:48 PMAhh, filesystem option, I wondered if that was the case. Thanks for that info, it's been killing me.
The issue I've been running into is I can define the log location (figured that out, logger_path) but the launcher doesn't have perms to create files there
if I give ownership of a folder to the installer directly, it'll create the files, but not until then
s
sundsta
11/03/2020, 6:52 PMYou would typically set up the permissions as a part of the MSI installer flow.
p
Pete
11/03/2020, 6:55 PMit's the osquery service that stops it though, not the msi
it fails to create the file, and stops everything
Thanks for all the info, I'm probably wrong about a bunch of stuff I think I know at this point.
s
seph
11/03/2020, 6:57 PMThe launcher MSI installs a launcher service. There should be no osquery service here.
How do you intend to collect logs? Are you going to keep them local, or pull them over to your TLS server?
p
Pete
11/03/2020, 6:57 PMI'm bad with words.
I mean that it fails when it tries to run the service and make "osqueryd.results.log", but that happens after the installer finishes.
s
seph
11/03/2020, 6:58 PMAh. Happens sometimes. The osquery MSI installs an osquery service, so the detail matters
But yes, the launcher MSI does not do anything to help local file creation, since it’s build with the assumption that logs will end up going to the TLS server.
p
Pete
11/03/2020, 6:59 PMYeah I'm probably completely misunderstanding how the logs work.
s
seph
11/03/2020, 7:00 PMosquery runs queries. The results of those queries are logged. They may be logged to different places.
Generally, if one is running a TLS server, that server handles distributing configuration and collecting logs.
p
Pete
11/03/2020, 7:10 PMI'm like a total newb. only option I'm changing besides the enroll secret, hostname, and tls cert is the logging plugin. It loads fine, hosts enroll, but then within about 5 minutes they go red/offline. Now I know that by setting the filesystem plugin, it's trying to create a file in that specific location (osquery folder).
The goal is to view event logs on the fleet page.
I would still like to see filesystem logs though too, so
thanks for all the help, I promise I'll get it at some point