https://github.com/osquery/osquery logo
Powered by
#kolide
Title
# kolide
o

OMAR

08/16/2019, 10:06 PM
hey folks. I'm rolling out fleet at work and while setting up our log forwarders on the fleet servers, I noticed the results from scheduled queries aren't being written to their configured location. this is an excerpt of my config:
Copy code
filesystem:
  status_log_file: /var/log/osquery/status.log
  result_log_file: /var/log/osquery/result.log
osquery:
  status_log_plugin: filesystem
  result_log_plugin: filesystem
I did notice that the results are being written to 
/var/log/syslog
, but the output there is from whatever 
/usr/bin/fleet
writes to stdout, which isn't in the most optimal form for shipping logs and making them searchable. Is there something I'm missing here? I found the /var/log/syslog by grepping the entire filesystem for results from a scheduled query. basically 
grep -cri 'aapocclcgogkmnckokdopfmhonfmgoek' / 2>/dev/null | grep -v :0
to see where this chrome extension shows up, and it's only in the syslog file, not ever 
/var/log/osquery/*
bump on this guy, I suspect I'm doing something dumb but I'm not familiar enough with fleet to know where to look
d

David Gagliardi

08/19/2019, 3:47 PM
does the owning process running fleet have permissions to write to those locations?
1
oh, i guess it runs as root though, right?
if so... ignore that
o

OMAR

08/19/2019, 3:48 PM
hehe yeah, it's creating the files and writes to the status log just fine
I created a query pack set to run every 10 seconds (just to test w/o waiting) and I still don't see it
s

sundsta

08/19/2019, 3:50 PM
You shouldn't run Fleet as root, it doesn't need it
d

David Gagliardi

08/19/2019, 3:50 PM
O_o really? I thought for sure it was a requirement...
because of the system tables it looks at
s

sundsta

08/19/2019, 3:51 PM
That's osqueryd
Not Fleet
d

David Gagliardi

08/19/2019, 3:51 PM
DERP!!!!
Thanks @sundsta you're totally right...
so my question stands then... check permissions
o

OMAR

08/19/2019, 3:52 PM
it's creating the two files (status + results) and writing to the status log
s

sundsta

08/19/2019, 3:54 PM
So it's writing to 
osquery_status
but not 
osquery_result
?
o

OMAR

08/19/2019, 3:55 PM
yep
if it helps this is what my query pack looks like right now
s

sundsta

08/19/2019, 3:56 PM
Check the fleet server logs (
sudo journalctl -u fleet
) and verify it sets up the 
osquery_result
writer without errors
o

OMAR

08/19/2019, 3:56 PM
will do
alright, I'm a dumbass
👆 2
in that screenshot it says 1 unique host, but when I was testing the pack wasn't assigned to any hosts
d

David Gagliardi

08/19/2019, 4:05 PM
glad you figured it out
o

OMAR

08/19/2019, 4:06 PM
thanks for the help!
Powered by