https://github.com/osquery/osquery logo
Powered by
Title
p

PaulD

07/19/2019, 12:26 PM
Hi, I'm having problems with Fleets data (result.log and status.log). First I changed anything about the logs, so Fleet wrote its logs in /tmp, and I had no problem to read them. Then I wanted that Fleet write the logs in a specific folder, so I added these lines to the config file : 
filesystem:
        result_log_file: /opt/fleet/log/result.log
        status_log_file: /opt/fleet/log/status.log
        enable_log_rotation: true
but in /opt/fleet/log, I can see nothing. I wondered if this could be an access problem, but my Fleet has normally all the rights to write into this folder.
s

sundsta

07/19/2019, 3:35 PM
What's the outpout of 
ls -l /opt/fleet
and 
ls -l /opt/fleet/log
p

PaulD

07/19/2019, 5:49 PM
Ok you put me in the way for this, and indeed I forgot to extend my chown to the whole folder /opt/fleet
so now I have 
drwxr-xr-x 19 kolide root  4096 juil. 16 15:28 fleet/
and every file or folder inside are also owned by kolide (the user who starts the fleet service) but that doesn't make it works, I still have nothing of my log folder : 
root@ubuntu_server_test:/opt/fleet# ls log
root@ubuntu_server_test:/opt/fleet#
(of course I did restart the service)
s

sundsta

07/19/2019, 6:09 PM
And what do the fleet logs say? Assuming it's running as a systemd service 
sudo journalctl -u fleet
b

benbass

07/19/2019, 6:16 PM
Can you SU to the kolide user and touch a file in that directory?
p

PaulD

07/19/2019, 6:19 PM
It does work as a service, and it seems to be no error in the journalctl : 
juil. 16 15:40:16 ubuntu_server_test fleet[4274]: Using config file:  /opt/fleet/etc/kolide.yml
juil. 16 15:40:16 ubuntu_server_test fleet[4274]: {"component":"service","err":null,"method":"ListUsers","took":"624.15µs","ts":"2019-07-16T13:40:16.976668763Z","user":"none"}
juil. 16 15:40:16 ubuntu_server_test fleet[4274]: {"address":"myAddress","msg":"listening","transport":"https","ts":"2019-07-16T13:40:16.977385279Z"}
juil. 16 15:40:17 ubuntu_server_test fleet[4274]: {"component":"service","err":null,"method":"User","took":"204.626174ms","ts":"2019-07-16T13:40:17.347686596Z","user":"crabcrabe"}
juil. 16 15:40:17 ubuntu_server_test fleet[4274]: {"component":"service","err":null,"method":"GetHostSummary","took":"118.227042ms","ts":"2019-07-16T13:40:17.467542294Z"}
juil. 16 15:40:17 ubuntu_server_test fleet[4274]: {"component":"service","err":null,"method":"User","took":"97.914938ms","ts":"2019-07-16T13:40:17.491583979Z","user":"crabcrabe"}
juil. 16 15:40:17 ubuntu_server_test fleet[4274]: {"component":"service","err":null,"method":"User","took":"106.390353ms","ts":"2019-07-16T13:40:17.569026924Z","user":"crabcrabe"}
I did set a bin/false for the kolide user, but if I set a bin/bash, then connect with it, I can touch a file
Finally the last problem was with the packs. As I reconfigured the Fleet server, Fleet recognized hosts already enrolled as new hosts, so the packs had no data to create, so logically no result.log was created
I think the first problem was indeed that Fleet hadn't the access to the file, thanks guys for your help 🙂
#kolideJoin Slack
Powered by