doggles
05/18/2020, 10:36 AMzwass
doggles
05/18/2020, 4:39 PM--disable_audit=false
--audit_persist=true
--audit_allow_config=true
--disable_events=false
--config_plugin=tls
--config_tls_endpoint=/api/v1/osquery/config
--config_tls_refresh=10
--database_path=/var/osquery/osquery.db
--disable_distributed=false
--disable_logging=true
--distributed_interval=10
--distributed_plugin=tls
--distributed_tls_max_attempts=3
--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read
--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write
--enroll_secret_path=/var/osquery/enroll
--enroll_tls_endpoint=/api/v1/osquery/enroll
--logger_plugin=tls
--logger_tls_endpoint=/api/v1/osquery/log
--logger_tls_period=10
--tls_hostname=<http://kolide.company.com|kolide.company.com>
our flagfilezwass
--tls_dump
and see what the config looks like that osquery receives. Then you'll also see if osquery is sending logs back to the server.doggles
05/18/2020, 4:59 PMeffectively seeing this: I0518 18:57:55.433888 49946624 config.cpp:1140] Refreshing configuration state
I0518 18:57:55.435231 49946624 tls.cpp:253] TLS/HTTPS POST request to URI: <https://kolide.company.com/api/v1/osquery/config>
{"node_key":"O3e2Eynt1+bqCcxmBEjko09yNdiLg0SN"}
{
"decorators": {
"load": [
"SELECT uuid AS host_uuid FROM system_info;",
"SELECT hostname AS hostname FROM system_info;"
]
},
"file_paths": {
"binaries": [
"/usr/bin/%%",
"/usr/sbin/%%",
"/bin/%%",
"/sbin/%%",
"/usr/local/bin/%%",
"/usr/local/sbin/%%"
],
"configuration": [
"/etc/group",
"/etc/passwd",
"/etc/gshadow",
"/etc/shadow",
"/etc/security/%%",
"/etc/nsswitch.conf",
"/etc/pam.d/%%",
"/etc/issue%",
"/etc/hosts%",
"/etc/ssh/%%",
"/etc/sysconfig/network",
"/etc/sysconfig/network-scripts/%%",
"/etc/localtime",
"/etc/selinux/%%",
"/etc/sudoers",
"/etc/sudoers.d/%%",
"/etc/cron%/%%",
"/etc/crontab",
"/etc/fstab",
"/etc/hostname",
"/etc/ld.so.conf",
"/etc/ld.so.conf.d/%%",
"/etc/rc%/%%"
]
},
"options": {
"disable_distributed": false,
"distributed_interval": 10,
"distributed_plugin": "tls",
"distributed_tls_max_attempts": 3,
"distributed_tls_read_endpoint": "/api/v1/osquery/distributed/read",
"distributed_tls_write_endpoint": "/api/v1/osquery/distributed/write",
"enable_monitor": true,
"events_expiry": 300,
"events_max": 50000,
"logger_path": "/var/log/osquery",
"logger_tls_endpoint": "/api/v1/osquery/log",
"logger_tls_period": 10,
"pack_delimiter": "/",
"pack_refresh_interval": 60,
"schedule_default_interval": 3597,
"schedule_splay_percent": 10,
"utc": true,
"worker_threads": 2
},
"packs": {
"test": {
"queries": {
"Scheduled Query Test": {
"query": "SELECT * FROM time;",
"interval": 600,
"platform": "darwin",
"snapshot": true,
"removed": false
}
}
}
}
}
I0518 18:58:03.631273 53166080 tls.cpp:253] TLS/HTTPS POST request to URI: <https://kolide.company.com/api/v1/osquery/distributed/read>
{"node_key":"O3e2Eynt1+bqCcxmBEjko09yNdiLg0SN"}
{
"queries": {}
}
I0518 18:58:05.708802 49946624 config.cpp:1140] Refreshing configuration state
I0518 19:00:01.741070 53702656 scheduler.cpp:96] Executing scheduled query pack/test/Scheduled Query Test: SELECT * FROM time;
I0518 19:00:01.745529 53702656 database.cpp:140] Resetting the database plugin: rocksdb
I0518 19:00:01.747506 53702656 rocksdb.cpp:131] Opening RocksDB handle: /var/osquery/osquery.db
I0518 19:00:06.776628 53166080 tls.cpp:253] TLS/HTTPS POST request to URI: <https://kolide.company.com/api/v1/osquery/distributed/read>
{"node_key":"O3e2Eynt1+bqCcxmBEjko09yNdiLg0SN"}
{
"queries": {}
}
I0518 19:00:08.775307 49946624 config.cpp:1140] Refreshing configuration state
zwass
doggles
05/18/2020, 5:06 PMstatus.log
on the fleet serverzwass
doggles
05/18/2020, 5:22 PMzwass
doggles
05/18/2020, 5:33 PMfleetctl get options
has a separate config than the flagfile pushed to each mac endpointzwass
doggles
05/18/2020, 6:13 PMapiVersion: v1
kind: options
spec:
config:
decorators:
load:
- SELECT uuid AS host_uuid FROM system_info;
- SELECT hostname AS hostname FROM system_info;
file_paths:
binaries:
- /usr/bin/%%
- /usr/sbin/%%
- /bin/%%
- /sbin/%%
- /usr/local/bin/%%
- /usr/local/sbin/%%
configuration:
- /etc/group
- /etc/passwd
- /etc/gshadow
- /etc/shadow
- /etc/security/%%
- /etc/nsswitch.conf
- /etc/pam.d/%%
- /etc/issue%
- /etc/hosts%
- /etc/ssh/%%
- /etc/sysconfig/network
- /etc/sysconfig/network-scripts/%%
- /etc/localtime
- /etc/selinux/%%
- /etc/sudoers
- /etc/sudoers.d/%%
- /etc/cron%/%%
- /etc/crontab
- /etc/fstab
- /etc/hostname
- /etc/ld.so.conf
- /etc/ld.so.conf.d/%%
- /etc/rc%/%%
options:
disable_distributed: false
distributed_interval: 10
distributed_plugin: tls
distributed_tls_max_attempts: 3
distributed_tls_read_endpoint: /api/v1/osquery/distributed/read
distributed_tls_write_endpoint: /api/v1/osquery/distributed/write
enable_monitor: true
events_expiry: 300
events_max: 50000
logger_path: /var/log/osquery
logger_tls_endpoint: /api/v1/osquery/log
logger_tls_period: 10
pack_delimiter: /
pack_refresh_interval: 60
schedule_default_interval: 3597
schedule_splay_percent: 10
utc: true
worker_threads: 2
overrides: {}
zwass
--disable_logging=true
in your flagfiledoggles
05/19/2020, 8:45 AMzwass
doggles
05/19/2020, 8:39 PMzwass