https://github.com/osquery/osquery logo
Powered by
Title
k

Kyle

06/01/2020, 1:17 AM
Hi all, I'm currently trying to configure 
kolide_grpc
and 
filesystem
loggers for launcher. The logs are being sent to the fleet server just fine, however, no results appear on the filesystem. My options file is: 
apiVersion: v1
kind: options
spec:
  config:
    decorators:
      always:
      - SELECT user AS username FROM logged_in_users WHERE user <> '' ORDER BY time
        LIMIT 1
      interval:
        "3600": SELECT total_seconds AS uptime FROM uptime
      load:
      - SELECT version FROM osquery_info
      - SELECT uuid AS host_uuid FROM system_info
    options:
      config_plugin: kolide_grpc
      disable_events: false
      distributed_interval: 3
      distributed_tls_max_attempts: 3
      events_max: 8
      logger_path: /var/log/launcher/results
      logger_plugin: kolide_grpc,filesystem
      verbose: true
      watchdog_level: -1
  overrides: {}
Is there something I've missed? Cheers
I just tried setting the logger_plugin to just 
filesystem
and it still logs to the fleet server, so I guess something is going wrong with reading of the options
Yep, after trying basically everything I put 
logger_plugin: thisisinvalid
and it applied just fine. If I called 
fleetctl get options
it return 
thisisinvalid
but launcher just keeps logging to the fleet server, no problem, as if nothing had changed at all.
j

Julian Scala

06/01/2020, 3:43 PM
Did the daemon got restarted? We had several scenarios where we changed the loggin plugin and until the daemon was restarted, it still report to the previous plugin
k

Kyle

06/01/2020, 11:03 PM
Yep, nothing seems to work, I get no errors or anything either, quite difficult to debug.
j

Julian Scala

06/01/2020, 11:27 PM
Important question here would be what do you have in the 
osquery.flags
file?
fleetctl get options
will return what the fleet server holds as daemon config. That doesn’t mean that 
osqueryd
in the device is actually using that config. Make sure you have the 
--config_refresh
, 
--config_plugin
values properly set in the 
osquery.flags
file. That worked for me
k

Kyle

06/01/2020, 11:53 PM
I thought it might be something to do with this, however, I'm using launcher and launcher builder, is there a way to set the flags when building the package? Documentation seems to suggest not. If I 
ps aux | grep launcher
I get this: 
/usr/local/launcher/bin/osqueryd --pidfile=/var/launcher/<host>5/osquery.pid --database_path=/var/launcher/<host>/osquery.db --extensions_socket=/var/launcher/<host>/osquery.sock --extensions_autoload=/var/launcher/<host>/osquery.autoload --extensions_timeout=10 --config_plugin=kolide_grpc --logger_plugin=kolide_grpc --distributed_plugin=kolide_grpc --disable_distributed=false --distributed_interval=5 --pack_delimiter=: --host_identifier=uuid --force=true --disable_watchdog --utc --verbose --config_refresh=300 --config_accelerated_refresh=30
where the logger_plugin is 
kolide_grpc
, but the docs say whatever's in the fleet options will override anything else
So, I got it "working" I modified the code to: 
runtime.WithLoggerPluginFlag("kolide_grpc,filesystem"),
in 
extension.go
in launcher and then built the binary, certainly more of a workaround than a solution
j

Julian Scala

06/02/2020, 7:24 PM
Hmm interesting
Way to go
4 Views
#kolideJoin Slack
Powered by