Title
#kolide
l

lvferdi

01/10/2019, 6:44 PM
Good afternoon. I am having an issue with linux logging to filesystem when config_plugin is set to
tls
when running this flagfile I get no logs written to
/var/log/osquery/osqueryd.results.log
--logger_path=/var/log/osquery/
--logger_plugin=filesystem
--disable_events=false
--enroll_secret_path=/etc/osquery/enrollment_secret
--tls_hostname=<http://mykolide.com|mykolide.com>
--host_identifier=hostname
--enroll_tls_endpoint=/api/v1/osquery/enroll
--config_plugin=tls
--config_tls_endpoint=/api/v1/osquery/config
--config_tls_refresh=10
--disable_distributed=false
--distributed_plugin=tls
--distributed_interval=10
--distributed_tls_max_attempts=3
--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read
--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write
--disable_audit=false
--audit_allow_config=true
--audit_persist=true
--audit_allow_sockets
but if I run osquery with
--config_plugin=filesystem
--logger_plugin=filesystem
--disable_events=false
it works as expected and writes to file. Any reason the TLS configs would stop the filesystem logging
zwass

zwass

01/10/2019, 7:32 PM
What is the config that is being sent over TLS? You can find out if you add
--debug --tls_dump
to the osquery invocation.
l

lvferdi

01/20/2019, 6:18 PM
ty, I’ll try that
f

Flngen Flugen

06/26/2019, 12:05 AM
I'm having similar issues. Running fleet on a rancher/kubernetes cluster. I'm managing osquery agents with salt. If config_plugin is not set to tls, the agents fail to enroll. Otherwise they do enroll. My goal is to use fleet for ad-hoc queries, and have osquery agents log to /var/log/osquery/osquery.results. I've modified the fleet options to allow for filesystem logging, however filesystem logging doesn't occur. It seems that even though the tls config and filesystem logging are independent of each other, in my case I haven't been able to get the two to coexist. Any help would be greatly appreciated.
a

Andrea

02/10/2020, 6:18 PM
Have anyone managed to fix this? noticing the same. if I set
config_plugin
to
tls
then the
logger_plugin
is set to
tls
too.
zwass

zwass

02/10/2020, 6:37 PM
You have to configure Fleet to send the appropriate options.
a

Andrea

02/11/2020, 10:48 AM
Actually I am testing with the server mock
test_http_server.py
... and the config returned during the test should not override the
logger_plugin
AFAIK. (will double check). Also, debugging the code at
initActivePlugin("logger", FLAGS_logger_plugin);
the second parameter is already
tls
rather than
filesystem
. And it looks like
initActivePlugin
is not considering the case of multiple plugins.
11:16 AM
This is the flag file:
--ephemeral
--disable_enrollment=true
--allow_unsafe=true
--tls_hostname=localhost:1234
--host_identifier=hostname
--extension_autoload=false
--config_plugin=filesystem
--config_path=C:\Users\ftd\AppData\Local\Temp\osquery-test-python-32910\osquery.conf
--logger_plugin=filesystem
--logger_path=C:\Users\ftd\AppData\Local\Temp\osquery-test-python-32910\log
--disable_extensions=true
--disable_watchdog=true
--disable_events=false
--disable_logging=false
--buffered_log_max=100
--pidfile=C:\Users\ftd\AppData\Local\Temp\osquery-test-python-32910\osquery.pidfile
--verbose=true
--honeypot_cache_path=C:\Users\ftd\AppData\Local\Temp\osquery-test-python-32910\honeypot.cache
--honeypot_zip_file_path=C:\Users\ftd\AppData\Local\Temp\osquery-test-python-32910\honeypot.zip
--precise_uuid_path=C:\Users\ftd\AppData\Local\Temp\osquery-test-python-32910\precise.uuid
--debug_mode=false
--senseon_agent_path=C:\Users\ftd\AppData\Local\Temp\osquery-test-python-32910\senseon-agent.exe
--names_distribution_path=C:\Users\ftd\AppData\Local\Temp\osquery-test-python-32910\distributions
--honeytoken_path=C:\Users\ftd\AppData\Local\Temp\osquery-test-python-32910
Then this is the config I read/write:
{
  "options": {
    "flagfile": "C:\\Users\\ftd\\AppData\\Local\\Temp\\osquery-test-python-32910\\osquery.flags",
    "database_path": "C:\\Users\\ftd\\AppData\\Local\\Temp\\osquery-tests-python-ftd\\tests.db6053",
    "pidfile": "C:\\Users\\ftd\\AppData\\Local\\Temp\\osquery-test-python-32910\\osquery.pidfile",
    "config_path": "C:\\Users\\ftd\\AppData\\Local\\Temp\\osquery-test-python-32910\\osquery.conf",
    "extensions_autoload": "",
    "extensions_socket": "\\\\.\\pipe\\tests.em8685",
    "extensions_interval": "1",
    "extensions_timeout": "0",
    "watchdog_level": "3",
    "disable_logging": "false",
    "disable_events": "true",
    "force": "true",
    "logger_path": "C:\\Users\\ftd\\AppData\\Local\\Temp\\osquery-test-python-32910\\log",
    "enroll_secret_path": "C:\\Users\\ftd\\AppData\\Local\\Temp\\osquery-test-python-32910\\instruction_enroll_secret",
    "tls_server_certs": "C:\\workspace\\endpoint\\build\\tools\\tests/test_server_ca.pem",
    "disable_distributed": false,
    "enroll_tls_endpoint": "/enroll/fail",
    "config_plugin": "tls",
    "config_tls_endpoint": "/config",
    "config_tls_refresh": 1,
    "config_refresh": 1,
    "config_tls_max_attempts": 0,
    "instructions_read": "/api/endpoints/instructions/read",
    "instructions_return": "/api/endpoints/instructions/return",
    "logger_plugin": "filesystem"
  },
  "schedule": {}
}
so apparently I am overriding
config_plugin
from
filesystem
to
tls
but not the
logger_plugin
.
5:38 PM
I solved it. It was a strange behaviour from a wrong flags config on my end. Thank you.