Hey how can I force osqueryd daemons to restart uppon an upd osquery #kolide

Hey, how can I force osqueryd daemons to restart u...

Julian Scala

05/19/2020, 5:21 PM

Hey, how can I force osqueryd daemons to restart uppon an update in the config flags from the server? I tried the

force=True

flag but its not working.

zwass

05/19/2020, 5:27 PM

You can't force a restart of osquery from the remote APIs. It's not supported by osquery. Many configs can be dynamically changed while osquery is running, though. What are you trying to change?

Julian Scala

05/19/2020, 6:09 PM

The loggin plugin from

tls

aws_kinesis

Julian Scala

05/19/2020, 6:19 PM

Is there a place where I can get which flags can be dynamically changed? Also maybe, which flags MUST live on the flags file and which we can set from server config?

Julian Scala

05/19/2020, 6:19 PM

Cant find details of that in the documentation

Erich Stoekl

05/20/2020, 12:01 AM

A better way to change flags would be with your configuration management tooling. How do you deploy osquery in the first place?

Julian Scala

05/20/2020, 5:11 PM

What you mean by configuration management toooling? We update the config though

fleetctl

zwass

05/20/2020, 5:13 PM

He probably means however you are laying down osquery and the flagfile. But I think you should be able to set the logging plugin via the TLS config. Did it not work?

zwass

05/20/2020, 5:14 PM

Take a look at

osqueryd --help

. Top section is flag only options. Lower section is flag or config options.

Julian Scala

05/20/2020, 5:15 PM

It works, but requires the daemon to be restarted to start logging to the new plugin. We switched from

tls

plugin to

kinesis

but does not take effect until the daemon is restarted. Even tried to push the flag

--force=True

but also didnt work

zwass

05/20/2020, 5:16 PM

the

force

flag is unrelated

5 Views

Open in Slack

Previous Next