https://github.com/osquery/osquery logo
Join Slack
Powered by
hey folks. I'm rolling out fleet at work and while...
# kolide
o
hey folks. I'm rolling out fleet at work and while setting up our log forwarders on the fleet servers, I noticed the results from scheduled queries aren't being written to their configured location. this is an excerpt of my config:
Copy code
filesystem:
  status_log_file: /var/log/osquery/status.log
  result_log_file: /var/log/osquery/result.log
osquery:
  status_log_plugin: filesystem
  result_log_plugin: filesystem
I did notice that the results are being written to 
/var/log/syslog
, but the output there is from whatever 
/usr/bin/fleet
writes to stdout, which isn't in the most optimal form for shipping logs and making them searchable. Is there something I'm missing here? I found the /var/log/syslog by grepping the entire filesystem for results from a scheduled query. basically 
grep -cri 'aapocclcgogkmnckokdopfmhonfmgoek' / 2>/dev/null | grep -v :0
to see where this chrome extension shows up, and it's only in the syslog file, not ever 
/var/log/osquery/*
bump on this guy, I suspect I'm doing something dumb but I'm not familiar enough with fleet to know where to look
d
does the owning process running fleet have permissions to write to those locations?
1
oh, i guess it runs as root though, right?
if so... ignore that
o
hehe yeah, it's creating the files and writes to the status log just fine
I created a query pack set to run every 10 seconds (just to test w/o waiting) and I still don't see it
s
You shouldn't run Fleet as root, it doesn't need it
d
O_o really? I thought for sure it was a requirement...
because of the system tables it looks at
s
That's osqueryd
Not Fleet
d
DERP!!!!
Thanks @sundsta you're totally right...
so my question stands then... check permissions
o
it's creating the two files (status + results) and writing to the status log
s
So it's writing to 
osquery_status
but not 
osquery_result
?
o
yep
if it helps this is what my query pack looks like right now
s
Check the fleet server logs (
sudo journalctl -u fleet
) and verify it sets up the 
osquery_result
writer without errors
o
will do
alright, I'm a dumbass
👆 2
in that screenshot it says 1 unique host, but when I was testing the pack wasn't assigned to any hosts
d
glad you figured it out
o
thanks for the help!
Open in Slack
PreviousNext
Powered by