https://github.com/osquery/osquery logo
Join Slack
Powered by
<@U7QP20JQH> not that I'm aware of? I'm using the ...
# kolide
p
@seph not that I'm aware of? I'm using the launcher from the git, and outside of the enroll secret and tls cert my only option is --osquery_flag logger_plugin=filesystem,windows_event_log
s
--osquery_flag logger_plugin=filesystem
tells osquery to write to the filesystem, it’s using the default path — 
\Program Files\osquery\log\osqueryd.results.log
that directory doesn’t exists, so it’s an error
The usual; way people run osquery with a TLS server is without filesystem logs.
Log to the TLS server, and aggregate from there.
You could log to local disk, and do something else. But you need to glue it all together
p
Ahh, filesystem option, I wondered if that was the case. Thanks for that info, it's been killing me.
The issue I've been running into is I can define the log location (figured that out, logger_path) but the launcher doesn't have perms to create files there
if I give ownership of a folder to the installer directly, it'll create the files, but not until then
s
You would typically set up the permissions as a part of the MSI installer flow.
p
it's the osquery service that stops it though, not the msi
it fails to create the file, and stops everything
Thanks for all the info, I'm probably wrong about a bunch of stuff I think I know at this point.
s
The launcher MSI installs a launcher service. There should be no osquery service here.
How do you intend to collect logs? Are you going to keep them local, or pull them over to your TLS server?
p
I'm bad with words.
I mean that it fails when it tries to run the service and make "osqueryd.results.log", but that happens after the installer finishes.
s
Ah. Happens sometimes. The osquery MSI installs an osquery service, so the detail matters
But yes, the launcher MSI does not do anything to help local file creation, since it’s build with the assumption that logs will end up going to the TLS server.
p
Yeah I'm probably completely misunderstanding how the logs work.
s
osquery runs queries. The results of those queries are logged. They may be logged to different places. Generally, if one is running a TLS server, that server handles distributing configuration and collecting logs.
p
I'm like a total newb. only option I'm changing besides the enroll secret, hostname, and tls cert is the logging plugin. It loads fine, hosts enroll, but then within about 5 minutes they go red/offline. Now I know that by setting the filesystem plugin, it's trying to create a file in that specific location (osquery folder).
The goal is to view event logs on the fleet page.
I would still like to see filesystem logs though too, so
thanks for all the help, I promise I'll get it at some point
Open in Slack
PreviousNext
Powered by