https://github.com/osquery/osquery logo
Powered by
Title
l

lvferdi

01/10/2019, 6:44 PM
Good afternoon. I am having an issue with linux logging to filesystem when config_plugin is set to 
tls
when running this flagfile I get no logs written to 
/var/log/osquery/osqueryd.results.log
--logger_path=/var/log/osquery/
--logger_plugin=filesystem
--disable_events=false
--enroll_secret_path=/etc/osquery/enrollment_secret
--tls_hostname=<http://mykolide.com|mykolide.com>
--host_identifier=hostname
--enroll_tls_endpoint=/api/v1/osquery/enroll
--config_plugin=tls
--config_tls_endpoint=/api/v1/osquery/config
--config_tls_refresh=10
--disable_distributed=false
--distributed_plugin=tls
--distributed_interval=10
--distributed_tls_max_attempts=3
--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read
--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write
--disable_audit=false
--audit_allow_config=true
--audit_persist=true
--audit_allow_sockets
but if I run osquery with 
--config_plugin=filesystem
--logger_plugin=filesystem
--disable_events=false
it works as expected and writes to file. Any reason the TLS configs would stop the filesystem logging
z

zwass

01/10/2019, 7:32 PM
What is the config that is being sent over TLS? You can find out if you add 
--debug --tls_dump
to the osquery invocation.
l

lvferdi

01/20/2019, 6:18 PM
ty, I’ll try that
f

Flngen Flugen

06/26/2019, 12:05 AM
I'm having similar issues. Running fleet on a rancher/kubernetes cluster. I'm managing osquery agents with salt. If config_plugin is not set to tls, the agents fail to enroll. Otherwise they do enroll. My goal is to use fleet for ad-hoc queries, and have osquery agents log to /var/log/osquery/osquery.results. I've modified the fleet options to allow for filesystem logging, however filesystem logging doesn't occur. It seems that even though the tls config and filesystem logging are independent of each other, in my case I haven't been able to get the two to coexist. Any help would be greatly appreciated.
a

Andrea

02/10/2020, 6:18 PM
Have anyone managed to fix this? noticing the same. if I set 
config_plugin
to 
tls
then the 
logger_plugin
is set to 
tls
too.
z

zwass

02/10/2020, 6:37 PM
You have to configure Fleet to send the appropriate options.
a

Andrea

02/11/2020, 10:48 AM
Actually I am testing with the server mock 
test_http_server.py
... and the config returned during the test should not override the 
logger_plugin
AFAIK. (will double check). Also, debugging the code at 
initActivePlugin("logger", FLAGS_logger_plugin);
the second parameter is already 
tls
rather than 
filesystem
. And it looks like 
initActivePlugin
is not considering the case of multiple plugins.
This is the flag file: 
--ephemeral
--disable_enrollment=true
--allow_unsafe=true
--tls_hostname=localhost:1234
--host_identifier=hostname
--extension_autoload=false
--config_plugin=filesystem
--config_path=C:\Users\ftd\AppData\Local\Temp\osquery-test-python-32910\osquery.conf
--logger_plugin=filesystem
--logger_path=C:\Users\ftd\AppData\Local\Temp\osquery-test-python-32910\log
--disable_extensions=true
--disable_watchdog=true
--disable_events=false
--disable_logging=false
--buffered_log_max=100
--pidfile=C:\Users\ftd\AppData\Local\Temp\osquery-test-python-32910\osquery.pidfile
--verbose=true
--honeypot_cache_path=C:\Users\ftd\AppData\Local\Temp\osquery-test-python-32910\honeypot.cache
--honeypot_zip_file_path=C:\Users\ftd\AppData\Local\Temp\osquery-test-python-32910\honeypot.zip
--precise_uuid_path=C:\Users\ftd\AppData\Local\Temp\osquery-test-python-32910\precise.uuid
--debug_mode=false
--senseon_agent_path=C:\Users\ftd\AppData\Local\Temp\osquery-test-python-32910\senseon-agent.exe
--names_distribution_path=C:\Users\ftd\AppData\Local\Temp\osquery-test-python-32910\distributions
--honeytoken_path=C:\Users\ftd\AppData\Local\Temp\osquery-test-python-32910
Then this is the config I read/write: 
{
  "options": {
    "flagfile": "C:\\Users\\ftd\\AppData\\Local\\Temp\\osquery-test-python-32910\\osquery.flags",
    "database_path": "C:\\Users\\ftd\\AppData\\Local\\Temp\\osquery-tests-python-ftd\\tests.db6053",
    "pidfile": "C:\\Users\\ftd\\AppData\\Local\\Temp\\osquery-test-python-32910\\osquery.pidfile",
    "config_path": "C:\\Users\\ftd\\AppData\\Local\\Temp\\osquery-test-python-32910\\osquery.conf",
    "extensions_autoload": "",
    "extensions_socket": "\\\\.\\pipe\\tests.em8685",
    "extensions_interval": "1",
    "extensions_timeout": "0",
    "watchdog_level": "3",
    "disable_logging": "false",
    "disable_events": "true",
    "force": "true",
    "logger_path": "C:\\Users\\ftd\\AppData\\Local\\Temp\\osquery-test-python-32910\\log",
    "enroll_secret_path": "C:\\Users\\ftd\\AppData\\Local\\Temp\\osquery-test-python-32910\\instruction_enroll_secret",
    "tls_server_certs": "C:\\workspace\\endpoint\\build\\tools\\tests/test_server_ca.pem",
    "disable_distributed": false,
    "enroll_tls_endpoint": "/enroll/fail",
    "config_plugin": "tls",
    "config_tls_endpoint": "/config",
    "config_tls_refresh": 1,
    "config_refresh": 1,
    "config_tls_max_attempts": 0,
    "instructions_read": "/api/endpoints/instructions/read",
    "instructions_return": "/api/endpoints/instructions/return",
    "logger_plugin": "filesystem"
  },
  "schedule": {}
}
so apparently I am overriding 
config_plugin
from 
filesystem
to 
tls
but not the 
logger_plugin
.
I solved it. It was a strange behaviour from a wrong flags config on my end. Thank you.
2 Views
#kolideJoin Slack
Powered by