Channels
#kolide
Title
# kolide
m
manikant singh
10/03/2020, 7:16 AMHow can we change the default location of osquery_result.log file on fleet server.
The default location as of now is "/tmp"
can we change is it to something else?
s
seph
10/03/2020, 1:35 PM
Look at the logging options documented in https://github.com/kolide/fleet/blob/master/docs/infrastructure/configuring-the-fleet-binary.md
m
manikant singh
10/03/2020, 3:04 PMapiVersion: v1
kind: option
spec:
config:
decorators:
load:
- SELECT uuid AS host_uuid FROM system_info;
- SELECT hostname AS hostname FROM system_info;
file_paths:
homes:
- /home/%%
etc:
- /etc/%%
file_accesses:
- home
- etc
osquery:
result_log_file:
- /var/log/osquery/result.log
options:
disable_distributed: false
distributed_interval: 10
distributed_plugin: tls
distributed_tls_max_attempts: 3
logger_plugin: tls
logger_tls_endpoint: /api/v1/osquery/log
logger_tls_period: 10
pack_delimiter: /
overrides: {}
could you please once validate if this is the correct way to change osquery result log locations..
apiVersion: v1kind: optionspec:config:decorators:load:- SELECT uuid AS host_uuid FROM system_info;- SELECT hostname AS hostname FROM system_info;file_paths:homes:- /home/%%etc:- /etc/%%file_accesses:- home- etcosquery:result_log_file:- /var/log/osquery/result.logoptions:disable_distributed: falsedistributed_interval: 10distributed_plugin: tlsdistributed_tls_max_attempts: 3logger_plugin: tlslogger_tls_endpoint: /api/v1/osquery/loglogger_tls_period: 10pack_delimiter: /overrides: {}or this is the correct way ?
osquery:result_log_file: /var/log/osquery/result.logz
zwass
10/03/2020, 4:10 PM
No, you need to set it in the configuration you start the Fleet server with.
m
manikant singh
10/05/2020, 8:07 AMIs there any way to check config file for syntax errors? before I apply the config file to fleet.
z
zwass
10/05/2020, 4:34 PM
For the Fleet server configuration you can use the
fleet config_dumpfleet serve2 Views