https://github.com/osquery/osquery logo
Join Slack
Powered by
How can we change the default location of osquery_...
# kolide
m
How can we change the default location of osquery_result.log file on fleet server. The default location as of now is "/tmp" can we change is it to something else?
s
m
apiVersion: v1 kind: option spec: config: decorators: load: - SELECT uuid AS host_uuid FROM system_info; - SELECT hostname AS hostname FROM system_info; file_paths: homes: - /home/%% etc: - /etc/%% file_accesses: - home - etc osquery: result_log_file: - /var/log/osquery/result.log options: disable_distributed: false distributed_interval: 10 distributed_plugin: tls distributed_tls_max_attempts: 3 logger_plugin: tls logger_tls_endpoint: /api/v1/osquery/log logger_tls_period: 10 pack_delimiter: / overrides: {}
could you please once validate if this is the correct way to change osquery result log locations..
apiVersion: v1
kind: option
spec:
config:
decorators:
load:
- SELECT uuid AS host_uuid FROM system_info;
- SELECT hostname AS hostname FROM system_info;
file_paths:
homes:
- /home/%%
etc:
- /etc/%%
file_accesses:
- home
- etc
osquery:
result_log_file:
- /var/log/osquery/result.log
options:
disable_distributed: false
distributed_interval: 10
distributed_plugin: tls
distributed_tls_max_attempts: 3
logger_plugin: tls
logger_tls_endpoint: /api/v1/osquery/log
logger_tls_period: 10
pack_delimiter: /
overrides: {}
or this is the correct way ? 
osquery:
result_log_file: /var/log/osquery/result.log
z
No, you need to set it in the configuration you start the Fleet server with.
m
Is there any way to check config file for syntax errors? before I apply the config file to fleet.
z
For the Fleet server configuration you can use the 
fleet config_dump
command along with any flags you'd provide to 
fleet serve
to check that you get the expected configuration.
3 Views
Open in Slack
PreviousNext
Powered by