hey folks. I'm rolling out fleet at work and while setting up our log forwarders on the fleet servers, I noticed the results from scheduled queries aren't being written to their configured location. this is an excerpt of my config:

filesystem:
  status_log_file: /var/log/osquery/status.log
  result_log_file: /var/log/osquery/result.log
osquery:
  status_log_plugin: filesystem
  result_log_plugin: filesystem

I did notice that the results are being written to

/var/log/syslog

, but the output there is from whatever

/usr/bin/fleet

writes to stdout, which isn't in the most optimal form for shipping logs and making them searchable. Is there something I'm missing here? I found the /var/log/syslog by grepping the entire filesystem for results from a scheduled query. basically

grep -cri 'aapocclcgogkmnckokdopfmhonfmgoek' / 2>/dev/null | grep -v :0

to see where this chrome extension shows up, and it's only in the syslog file, not ever

/var/log/osquery/*

does the owning process running fleet have permissions to write to those locations?

hehe yeah, it's creating the files and writes to the status log just fine

You shouldn't run Fleet as root, it doesn't need it

O_o really? I thought for sure it was a requirement...

That's osqueryd

DERP!!!!

it's creating the two files (status + results) and writing to the status log

So it's writing to

osquery_status

but not

osquery_result

?

yep

Check the fleet server logs (

sudo journalctl -u fleet

) and verify it sets up the

osquery_result

writer without errors

glad you figured it out

thanks for the help!