Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
k
koba
05/20/2020, 6:04 AMI'm not able to enroll my mac on Fleet server. My
kolide.flags--enroll_secret_path=/private/var/osquery/enroll_secret
--tls_server_certs=/pathtocert/server.cert
--tls_hostname=my.hostname
--host_identifier=uuid
--enroll_tls_endpoint=/api/v1/osquery/enroll
--config_plugin=tls
--config_tls_endpoint=/api/v1/osquery/config
--config_refresh=10
--disable_distributed=false
--distributed_plugin=tls
--distributed_interval=10
--distributed_tls_max_attempts=3
--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read
--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write
--logger_plugin=tls
--logger_tls_endpoint=/api/v1/osquery/log
--logger_tls_period=10
--allow_unsafe
--disable_events=falsesudo ./osqueryd --flagfile=./kolide.flagsE0520 11:28:23.254142 330911168 init.cpp:509] Cannot activate filesystem logger plugin: Could not create file: /var/log/osquery/osqueryd.results.log
I0520 11:28:23.254894 330911168 events.cpp:863] Event publisher not enabled: openbsm: Publisher disabled via configuration
I0520 11:28:23.254936 330911168 events.cpp:863] Event publisher not enabled: scnetwork: Publisher not used
I0520 11:28:23.255002 330911168 events.cpp:863] Event publisher not enabled: event_tapping: Publisher disabled via configuration
E0520 11:28:28.949097 311709120 init.cpp:509] Cannot activate filesystem logger plugin: Could not create file: /var/log/osquery/osqueryd.results.log
I0520 11:28:28.950387 311709120 events.cpp:863] Event publisher not enabled: openbsm: Publisher disabled via configuration
I0520 11:28:28.950567 311709120 events.cpp:863] Event publisher not enabled: scnetwork: Publisher not used
I0520 11:28:28.950739 311709120 events.cpp:863] Event publisher not enabled: event_tapping: Publisher disabled via configuration
E0520 11:28:34.946043 267435456 init.cpp:509] Cannot activate filesystem logger plugin: Could not create file: /var/log/osquery/osqueryd.results.log
I0520 11:28:34.947048 267435456 events.cpp:863] Event publisher not enabled: openbsm: Publisher disabled via configuration
I0520 11:28:34.947127 267435456 events.cpp:863] Event publisher not enabled: scnetwork: Publisher not used
I0520 11:28:34.947149 267435456 events.cpp:863] Event publisher not enabled: event_tapping: Publisher disabled via configurations
seph
05/20/2020, 6:13 AMAdd a
--verbosek
koba
05/20/2020, 7:07 AM@seph thanks for reply. Here is what it looks like now:
❯ sudo ./osqueryd --flagfile=./kolide.flags --verbose
I0520 12:36:06.506144 452500928 init.cpp:340] osquery initialized [version=4.2.0]
I0520 12:36:06.553833 452500928 system.cpp:330] Found stale process for osqueryd (34328)
I0520 12:36:06.554096 452500928 system.cpp:362] Writing osqueryd pid (34352) to /var/osquery/osqueryd.pidfile
I0520 12:36:06.580245 452500928 extensions.cpp:349] Could not autoload extensions: Failed reading: /var/osquery/extensions.load
I0520 12:36:06.608023 253485056 watcher.cpp:583] osqueryd watcher (34352) executing worker (34353)
I0520 12:36:06.968544 449428928 init.cpp:337] osquery worker initialized [watcher=34352]
I0520 12:36:06.969853 449428928 rocksdb.cpp:131] Opening RocksDB handle: /var/osquery/osquery.db
I0520 12:36:07.215679 449428928 auto_constructed_tables.cpp:93] Removing stale ATC entries
I0520 12:36:07.216428 38670336 interface.cpp:268] Extension manager service starting: /var/osquery/osquery.em
E0520 12:36:07.221120 449428928 init.cpp:509] Cannot activate filesystem logger plugin: Could not create file: /var/log/osquery/osqueryd.results.log
I0520 12:36:07.221257 449428928 events.cpp:863] Event publisher not enabled: openbsm: Publisher disabled via configuration
I0520 12:36:07.221274 449428928 events.cpp:863] Event publisher not enabled: scnetwork: Publisher not used
I0520 12:36:07.221283 449428928 events.cpp:863] Event publisher not enabled: event_tapping: Publisher disabled via configuration
I0520 12:36:07.248435 449428928 main.cpp:103] Not starting the distributed query service: Distributed query service not enabled.
I0520 12:36:07.248440 39206912 events.cpp:784] Starting event publisher run loop: diskarbitration
I0520 12:36:07.248463 39743488 events.cpp:784] Starting event publisher run loop: fsevents
I0520 12:36:07.248478 40280064 events.cpp:784] Starting event publisher run loop: iokits
seph
05/20/2020, 5:02 PMThe could not create file error there might matter. Fix that one?
k
koba
05/20/2020, 6:29 PMThanks for pointing that out @seph. There was no directory called
osquery/var/logCould not autoload extensions: Failed reading: /var/osquery/extensions.loadI0520 23:54:19.697759 352955840 init.cpp:340] osquery initialized [version=4.2.0]
I0520 23:54:19.741585 352955840 system.cpp:330] Found stale process for osqueryd (43372)
I0520 23:54:19.741952 352955840 system.cpp:362] Writing osqueryd pid (43571) to /var/osquery/osqueryd.pidfile
I0520 23:54:19.742524 352955840 extensions.cpp:349] Could not autoload extensions: Failed reading: /var/osquery/extensions.load
I0520 23:54:19.770148 25141248 watcher.cpp:583] osqueryd watcher (43571) executing worker (43572)
I0520 23:54:19.790515 162094528 init.cpp:337] osquery worker initialized [watcher=43571]
I0520 23:54:19.793453 162094528 rocksdb.cpp:131] Opening RocksDB handle: /var/osquery/osquery.db
I0520 23:54:20.700681 162094528 auto_constructed_tables.cpp:93] Removing stale ATC entries
I0520 23:54:20.700762 9383936 interface.cpp:268] Extension manager service starting: /var/osquery/osquery.em
I0520 23:54:20.706431 162094528 events.cpp:863] Event publisher not enabled: openbsm: Publisher disabled via configuration
I0520 23:54:20.707361 162094528 events.cpp:863] Event publisher not enabled: scnetwork: Publisher not used
I0520 23:54:20.707695 162094528 events.cpp:863] Event publisher not enabled: event_tapping: Publisher disabled via configuration
I0520 23:54:20.738391 9920512 events.cpp:784] Starting event publisher run loop: diskarbitration
I0520 23:54:20.738387 162094528 main.cpp:103] Not starting the distributed query service: Distributed query service not enabled.
I0520 23:54:20.738417 10993664 events.cpp:784] Starting event publisher run loop: iokit
I0520 23:54:20.738415 10457088 events.cpp:784] Starting event publisher run loop: fsevents
I0520 23:54:27.748370 11530240 scheduler.cpp:96] Executing scheduled query macos_kextstat: SELECT * FROM kernel_extensions;
I0520 23:54:36.769026 11530240 scheduler.cpp:96] Executing scheduled query macos_kextstat: SELECT * FROM kernel_extensions;
I0520 23:54:45.802323 11530240 scheduler.cpp:96] Executing scheduled query macos_kextstat: SELECT * FROM kernel_extensions;
I0520 23:54:54.812383 11530240 scheduler.cpp:96] Executing scheduled query macos_kextstat: SELECT * FROM kernel_extensions;
I0520 23:55:00.850442 11530240 database.cpp:140] Resetting the database plugin: rocksdb
I0520 23:55:00.960263 11530240 rocksdb.cpp:131] Opening RocksDB handle: /var/osquery/osquery.dbs
seph
05/20/2020, 6:31 PMThat’s an information message, not an error. It indicates you have no extensions to configured. You can ignore it.
Note that this output now shows you’re excuting queries. So… Does this work?
k
koba
05/20/2020, 7:38 PMI think the osquery (osqueryd) part is fine. Hence the successful query. But I still can't see my machine listed on fleet server.
I really wish adding host to fleet server were as easy as it is on Kolide SAAS offering. 🧞♂️