I'm not able to enroll my mac on Fleet server. My

kolide.flags

looks like this

--enroll_secret_path=/private/var/osquery/enroll_secret  
--tls_server_certs=/pathtocert/server.cert 
--tls_hostname=my.hostname  
--host_identifier=uuid  
--enroll_tls_endpoint=/api/v1/osquery/enroll  
--config_plugin=tls  
--config_tls_endpoint=/api/v1/osquery/config 
--config_refresh=10  
--disable_distributed=false  
--distributed_plugin=tls 
--distributed_interval=10  
--distributed_tls_max_attempts=3  
--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read  
--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write  
--logger_plugin=tls  
--logger_tls_endpoint=/api/v1/osquery/log  
--logger_tls_period=10 
--allow_unsafe 
--disable_events=false

Error when i run

sudo ./osqueryd --flagfile=./kolide.flags

E0520 11:28:23.254142 330911168 init.cpp:509] Cannot activate filesystem logger plugin: Could not create file: /var/log/osquery/osqueryd.results.log
I0520 11:28:23.254894 330911168 events.cpp:863] Event publisher not enabled: openbsm: Publisher disabled via configuration
I0520 11:28:23.254936 330911168 events.cpp:863] Event publisher not enabled: scnetwork: Publisher not used
I0520 11:28:23.255002 330911168 events.cpp:863] Event publisher not enabled: event_tapping: Publisher disabled via configuration
E0520 11:28:28.949097 311709120 init.cpp:509] Cannot activate filesystem logger plugin: Could not create file: /var/log/osquery/osqueryd.results.log
I0520 11:28:28.950387 311709120 events.cpp:863] Event publisher not enabled: openbsm: Publisher disabled via configuration
I0520 11:28:28.950567 311709120 events.cpp:863] Event publisher not enabled: scnetwork: Publisher not used
I0520 11:28:28.950739 311709120 events.cpp:863] Event publisher not enabled: event_tapping: Publisher disabled via configuration
E0520 11:28:34.946043 267435456 init.cpp:509] Cannot activate filesystem logger plugin: Could not create file: /var/log/osquery/osqueryd.results.log
I0520 11:28:34.947048 267435456 events.cpp:863] Event publisher not enabled: openbsm: Publisher disabled via configuration
I0520 11:28:34.947127 267435456 events.cpp:863] Event publisher not enabled: scnetwork: Publisher not used
I0520 11:28:34.947149 267435456 events.cpp:863] Event publisher not enabled: event_tapping: Publisher disabled via configuration

Add a

--verbose

there?

@seph thanks for reply. Here is what it looks like now:

❯ sudo ./osqueryd --flagfile=./kolide.flags --verbose
I0520 12:36:06.506144 452500928 init.cpp:340] osquery initialized [version=4.2.0]
I0520 12:36:06.553833 452500928 system.cpp:330] Found stale process for osqueryd (34328)
I0520 12:36:06.554096 452500928 system.cpp:362] Writing osqueryd pid (34352) to /var/osquery/osqueryd.pidfile
I0520 12:36:06.580245 452500928 extensions.cpp:349] Could not autoload extensions: Failed reading: /var/osquery/extensions.load
I0520 12:36:06.608023 253485056 watcher.cpp:583] osqueryd watcher (34352) executing worker (34353)
I0520 12:36:06.968544 449428928 init.cpp:337] osquery worker initialized [watcher=34352]
I0520 12:36:06.969853 449428928 rocksdb.cpp:131] Opening RocksDB handle: /var/osquery/osquery.db
I0520 12:36:07.215679 449428928 auto_constructed_tables.cpp:93] Removing stale ATC entries
I0520 12:36:07.216428 38670336 interface.cpp:268] Extension manager service starting: /var/osquery/osquery.em
E0520 12:36:07.221120 449428928 init.cpp:509] Cannot activate filesystem logger plugin: Could not create file: /var/log/osquery/osqueryd.results.log
I0520 12:36:07.221257 449428928 events.cpp:863] Event publisher not enabled: openbsm: Publisher disabled via configuration
I0520 12:36:07.221274 449428928 events.cpp:863] Event publisher not enabled: scnetwork: Publisher not used
I0520 12:36:07.221283 449428928 events.cpp:863] Event publisher not enabled: event_tapping: Publisher disabled via configuration
I0520 12:36:07.248435 449428928 main.cpp:103] Not starting the distributed query service: Distributed query service not enabled.
I0520 12:36:07.248440 39206912 events.cpp:784] Starting event publisher run loop: diskarbitration
I0520 12:36:07.248463 39743488 events.cpp:784] Starting event publisher run loop: fsevents
I0520 12:36:07.248478 40280064 events.cpp:784] Starting event publisher run loop: iokit

The could not create file error there might matter. Fix that one?

Thanks for pointing that out @seph. There was no directory called

osquery

under

/var/log

so I create one. It is still complaining for

Could not autoload extensions: Failed reading: /var/osquery/extensions.load

I can't find this file anywhere on my system. Here is what I have now :-

I0520 23:54:19.697759 352955840 init.cpp:340] osquery initialized [version=4.2.0]
I0520 23:54:19.741585 352955840 system.cpp:330] Found stale process for osqueryd (43372)
I0520 23:54:19.741952 352955840 system.cpp:362] Writing osqueryd pid (43571) to /var/osquery/osqueryd.pidfile
I0520 23:54:19.742524 352955840 extensions.cpp:349] Could not autoload extensions: Failed reading: /var/osquery/extensions.load
I0520 23:54:19.770148 25141248 watcher.cpp:583] osqueryd watcher (43571) executing worker (43572)
I0520 23:54:19.790515 162094528 init.cpp:337] osquery worker initialized [watcher=43571]
I0520 23:54:19.793453 162094528 rocksdb.cpp:131] Opening RocksDB handle: /var/osquery/osquery.db
I0520 23:54:20.700681 162094528 auto_constructed_tables.cpp:93] Removing stale ATC entries
I0520 23:54:20.700762 9383936 interface.cpp:268] Extension manager service starting: /var/osquery/osquery.em
I0520 23:54:20.706431 162094528 events.cpp:863] Event publisher not enabled: openbsm: Publisher disabled via configuration
I0520 23:54:20.707361 162094528 events.cpp:863] Event publisher not enabled: scnetwork: Publisher not used
I0520 23:54:20.707695 162094528 events.cpp:863] Event publisher not enabled: event_tapping: Publisher disabled via configuration
I0520 23:54:20.738391 9920512 events.cpp:784] Starting event publisher run loop: diskarbitration
I0520 23:54:20.738387 162094528 main.cpp:103] Not starting the distributed query service: Distributed query service not enabled.
I0520 23:54:20.738417 10993664 events.cpp:784] Starting event publisher run loop: iokit
I0520 23:54:20.738415 10457088 events.cpp:784] Starting event publisher run loop: fsevents
I0520 23:54:27.748370 11530240 scheduler.cpp:96] Executing scheduled query macos_kextstat: SELECT * FROM kernel_extensions;
I0520 23:54:36.769026 11530240 scheduler.cpp:96] Executing scheduled query macos_kextstat: SELECT * FROM kernel_extensions;
I0520 23:54:45.802323 11530240 scheduler.cpp:96] Executing scheduled query macos_kextstat: SELECT * FROM kernel_extensions;
I0520 23:54:54.812383 11530240 scheduler.cpp:96] Executing scheduled query macos_kextstat: SELECT * FROM kernel_extensions;
I0520 23:55:00.850442 11530240 database.cpp:140] Resetting the database plugin: rocksdb
I0520 23:55:00.960263 11530240 rocksdb.cpp:131] Opening RocksDB handle: /var/osquery/osquery.db

That’s an information message, not an error. It indicates you have no extensions to configured. You can ignore it.

I think the osquery (osqueryd) part is fine. Hence the successful query. But I still can't see my machine listed on fleet server.