Hi I m having problems with Fleets data result log and statu osquery #kolide

Hi, I'm having problems with Fleets data (result.l...

PaulD

07/19/2019, 12:26 PM

Hi, I'm having problems with Fleets data (result.log and status.log). First I changed anything about the logs, so Fleet wrote its logs in /tmp, and I had no problem to read them. Then I wanted that Fleet write the logs in a specific folder, so I added these lines to the config file :

Copy code

filesystem:
        result_log_file: /opt/fleet/log/result.log
        status_log_file: /opt/fleet/log/status.log
        enable_log_rotation: true

but in /opt/fleet/log, I can see nothing. I wondered if this could be an access problem, but my Fleet has normally all the rights to write into this folder.

sundsta

07/19/2019, 3:35 PM

What's the outpout of

ls -l /opt/fleet

and

ls -l /opt/fleet/log

PaulD

07/19/2019, 5:49 PM

Ok you put me in the way for this, and indeed I forgot to extend my chown to the whole folder /opt/fleet

PaulD

07/19/2019, 5:52 PM

so now I have

Copy code

drwxr-xr-x 19 kolide root  4096 juil. 16 15:28 fleet/

and every file or folder inside are also owned by kolide (the user who starts the fleet service) but that doesn't make it works, I still have nothing of my log folder :

Copy code

root@ubuntu_server_test:/opt/fleet# ls log
root@ubuntu_server_test:/opt/fleet#

(of course I did restart the service)

sundsta

07/19/2019, 6:09 PM

And what do the fleet logs say? Assuming it's running as a systemd service

sudo journalctl -u fleet

benbass

07/19/2019, 6:16 PM

Can you SU to the kolide user and touch a file in that directory?

PaulD

07/19/2019, 6:19 PM

It does work as a service, and it seems to be no error in the journalctl :

Copy code

juil. 16 15:40:16 ubuntu_server_test fleet[4274]: Using config file:  /opt/fleet/etc/kolide.yml
juil. 16 15:40:16 ubuntu_server_test fleet[4274]: {"component":"service","err":null,"method":"ListUsers","took":"624.15µs","ts":"2019-07-16T13:40:16.976668763Z","user":"none"}
juil. 16 15:40:16 ubuntu_server_test fleet[4274]: {"address":"myAddress","msg":"listening","transport":"https","ts":"2019-07-16T13:40:16.977385279Z"}
juil. 16 15:40:17 ubuntu_server_test fleet[4274]: {"component":"service","err":null,"method":"User","took":"204.626174ms","ts":"2019-07-16T13:40:17.347686596Z","user":"crabcrabe"}
juil. 16 15:40:17 ubuntu_server_test fleet[4274]: {"component":"service","err":null,"method":"GetHostSummary","took":"118.227042ms","ts":"2019-07-16T13:40:17.467542294Z"}
juil. 16 15:40:17 ubuntu_server_test fleet[4274]: {"component":"service","err":null,"method":"User","took":"97.914938ms","ts":"2019-07-16T13:40:17.491583979Z","user":"crabcrabe"}
juil. 16 15:40:17 ubuntu_server_test fleet[4274]: {"component":"service","err":null,"method":"User","took":"106.390353ms","ts":"2019-07-16T13:40:17.569026924Z","user":"crabcrabe"}

PaulD

07/19/2019, 6:22 PM

I did set a bin/false for the kolide user, but if I set a bin/bash, then connect with it, I can touch a file

PaulD

07/19/2019, 6:35 PM

Finally the last problem was with the packs. As I reconfigured the Fleet server, Fleet recognized hosts already enrolled as new hosts, so the packs had no data to create, so logically no result.log was created

PaulD

07/19/2019, 6:36 PM

I think the first problem was indeed that Fleet hadn't the access to the file, thanks guys for your help 🙂

2 Views

Open in Slack

Previous Next