Hi all I m currently trying to configure `kolide grpc` and ` osquery #kolide

Hi all, I'm currently trying to configure `kolide_...

Kyle

06/01/2020, 1:17 AM

Hi all, I'm currently trying to configure

kolide_grpc

and

filesystem

loggers for launcher. The logs are being sent to the fleet server just fine, however, no results appear on the filesystem. My options file is:

Copy code

apiVersion: v1
kind: options
spec:
  config:
    decorators:
      always:
      - SELECT user AS username FROM logged_in_users WHERE user <> '' ORDER BY time
        LIMIT 1
      interval:
        "3600": SELECT total_seconds AS uptime FROM uptime
      load:
      - SELECT version FROM osquery_info
      - SELECT uuid AS host_uuid FROM system_info
    options:
      config_plugin: kolide_grpc
      disable_events: false
      distributed_interval: 3
      distributed_tls_max_attempts: 3
      events_max: 8
      logger_path: /var/log/launcher/results
      logger_plugin: kolide_grpc,filesystem
      verbose: true
      watchdog_level: -1
  overrides: {}

Is there something I've missed? Cheers

Kyle

06/01/2020, 1:54 AM

I just tried setting the logger_plugin to just

filesystem

and it still logs to the fleet server, so I guess something is going wrong with reading of the options

Kyle

06/01/2020, 6:37 AM

Yep, after trying basically everything I put

logger_plugin: thisisinvalid

and it applied just fine. If I called

fleetctl get options

it return

thisisinvalid

but launcher just keeps logging to the fleet server, no problem, as if nothing had changed at all.

Julian Scala

06/01/2020, 3:43 PM

Did the daemon got restarted? We had several scenarios where we changed the loggin plugin and until the daemon was restarted, it still report to the previous plugin

Kyle

06/01/2020, 11:03 PM

Yep, nothing seems to work, I get no errors or anything either, quite difficult to debug.

Julian Scala

06/01/2020, 11:27 PM

Important question here would be what do you have in the

osquery.flags

file?

Julian Scala

06/01/2020, 11:34 PM

fleetctl get options

will return what the fleet server holds as daemon config. That doesn’t mean that

osqueryd

in the device is actually using that config. Make sure you have the

--config_refresh

--config_plugin

values properly set in the

osquery.flags

file. That worked for me

Kyle

06/01/2020, 11:53 PM

I thought it might be something to do with this, however, I'm using launcher and launcher builder, is there a way to set the flags when building the package? Documentation seems to suggest not. If I

ps aux | grep launcher

I get this:

Copy code

/usr/local/launcher/bin/osqueryd --pidfile=/var/launcher/<host>5/osquery.pid --database_path=/var/launcher/<host>/osquery.db --extensions_socket=/var/launcher/<host>/osquery.sock --extensions_autoload=/var/launcher/<host>/osquery.autoload --extensions_timeout=10 --config_plugin=kolide_grpc --logger_plugin=kolide_grpc --distributed_plugin=kolide_grpc --disable_distributed=false --distributed_interval=5 --pack_delimiter=: --host_identifier=uuid --force=true --disable_watchdog --utc --verbose --config_refresh=300 --config_accelerated_refresh=30

where the logger_plugin is

kolide_grpc

, but the docs say whatever's in the fleet options will override anything else

Kyle

06/02/2020, 1:34 AM

So, I got it "working" I modified the code to:

Copy code

runtime.WithLoggerPluginFlag("kolide_grpc,filesystem"),

extension.go

in launcher and then built the binary, certainly more of a workaround than a solution

Julian Scala

06/02/2020, 7:24 PM

Hmm interesting

Julian Scala

06/02/2020, 7:24 PM

Way to go

15 Views

Open in Slack

Previous Next