How do I set up osQuery to keep the process runnin...
# kolided
demonbhao
08/19/2020, 3:54 AMHow do I set up osQuery to keep the process running if I want it to?
I followed the instructions but the following error occurred
My osquery.flags:
sudo osqueryd \
--enroll_secret_path=/var/osquery/enroll_secret \
--tls_server_certs=/var/osquery/server.pem \
--tls_hostname=10.224.100.2:8080 \
--host_identifier=uuid \
--enroll_tls_endpoint=/api/v1/osquery/enroll \
--config_plugin=tls \
--config_tls_endpoint=/api/v1/osquery/config \
--config_refresh=10 \
--disable_distributed=false \
--distributed_plugin=tls \
--distributed_interval=3 \
--distributed_tls_max_attempts=3 \
--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read \
--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write \
--logger_plugin=tls \
--logger_tls_endpoint=/api/v1/osquery/log \
--logger_tls_period=10
j
Joshua B
09/15/2020, 4:39 PMyour osquery.flags file should be only the flags, no
\Joshua B
09/15/2020, 4:40 PM--enroll_secret_path=/var/osquery/enroll_secret
--tls_server_certs=/var/osquery/server.pem
--tls_hostname=10.224.100.2:8080
--host_identifier=uuid
--enroll_tls_endpoint=/api/v1/osquery/enroll
--config_plugin=tls
--config_tls_endpoint=/api/v1/osquery/config
--config_refresh=10
--disable_distributed=false
--distributed_plugin=tls
--distributed_interval=3
--distributed_tls_max_attempts=3
--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read
--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write
--logger_plugin=tls
--logger_tls_endpoint=/api/v1/osquery/log
--logger_tls_period=10
Joshua B
09/15/2020, 4:40 PMeach flag on it's own line
Joshua B
09/15/2020, 4:41 PMhttps://osquery.readthedocs.io/en/stable/installation/cli-flags/#flagfile
Then you can use --flagfile to refer to those flags.
2 Views