Title
#kolide
j

Julian Scala

05/19/2020, 5:21 PM
Hey, how can I force osqueryd daemons to restart uppon an update in the config flags from the server? I tried the
force=True
flag but its not working.
zwass

zwass

05/19/2020, 5:27 PM
You can't force a restart of osquery from the remote APIs. It's not supported by osquery. Many configs can be dynamically changed while osquery is running, though. What are you trying to change?
j

Julian Scala

05/19/2020, 6:09 PM
The loggin plugin from
tls
to
aws_kinesis
6:19 PM
Is there a place where I can get which flags can be dynamically changed? Also maybe, which flags MUST live on the flags file and which we can set from server config?
6:19 PM
Cant find details of that in the documentation
Erich Stoekl

Erich Stoekl

05/20/2020, 12:01 AM
A better way to change flags would be with your configuration management tooling. How do you deploy osquery in the first place?
j

Julian Scala

05/20/2020, 5:11 PM
What you mean by configuration management toooling? We update the config though
fleetctl
zwass

zwass

05/20/2020, 5:13 PM
He probably means however you are laying down osquery and the flagfile. But I think you should be able to set the logging plugin via the TLS config. Did it not work?
5:14 PM
Take a look at
osqueryd --help
. Top section is flag only options. Lower section is flag or config options.
j

Julian Scala

05/20/2020, 5:15 PM
It works, but requires the daemon to be restarted to start logging to the new plugin. We switched from
tls
plugin to
kinesis
but does not take effect until the daemon is restarted. Even tried to push the flag
--force=True
but also didnt work
zwass

zwass

05/20/2020, 5:16 PM
the
force
flag is unrelated