I have a mutual question Is there a way to check out host co osquery #kolide

I have a mutual question. Is there a way to check ...

ycpr

07/01/2019, 1:27 PM

I have a mutual question. Is there a way to check out host configuration when running

osqueryd

with

launcher

and

fleet

? I'm trying to set up the simplest one-file configuration for

filesystem

logger plugin, but no logs are created. This is it:

options.yml

zwass

07/01/2019, 2:43 PM

If you run Launcher with —debug you can see the config it is receiving

ycpr

07/01/2019, 3:41 PM

I queried osquery flags through fleet's web interface and found out that everything is set from config except for

logger_plugin

which is always set to

kolide_grpc

. How can I add another logger to the list so it isn't erased? The problem seems to correlate with this issue (https://github.com/kolide/fleet/issues/1584)

zwass

07/01/2019, 5:55 PM

Launcher starts up osquery with that flag for the logger plugin, but it should be overwritten by the config received from the server. Can you try running with

--debug

to see what config it receives?

ycpr

07/01/2019, 6:55 PM

It seems to be I have a problem with configuration though distributed queries work.

errorlog.txt

zwass

07/01/2019, 6:57 PM

initial run results: unmarshal osquery config blob: json: cannot unmarshal string into Go struct field Decorators.interval of type []string

zwass

07/01/2019, 7:02 PM

Try enclosing the interval in quotes.

zwass

07/01/2019, 7:14 PM

Please let me know if that fixes it. I can update the examples in the docs as appropriate.

ycpr

07/01/2019, 7:19 PM

Quotes made the error disappear but

kolide_grpc

is still the only logger plugin.

errorlog.txt

zwass

07/01/2019, 7:22 PM

@seph does the debug logging not include config responses?

seph

07/02/2019, 3:13 PM

Offhand, I don’t know. I’d have to look at the code

4 Views

Open in Slack

Previous Next