Good afternoon I am having an issue with linux logging to fi osquery #kolide

Good afternoon. I am having an issue with linux l...

lvferdi

01/10/2019, 6:44 PM

Good afternoon. I am having an issue with linux logging to filesystem when config_plugin is set to

tls

when running this flagfile I get no logs written to

/var/log/osquery/osqueryd.results.log

Copy code

--logger_path=/var/log/osquery/
--logger_plugin=filesystem
--disable_events=false
--enroll_secret_path=/etc/osquery/enrollment_secret
--tls_hostname=<http://mykolide.com|mykolide.com>
--host_identifier=hostname
--enroll_tls_endpoint=/api/v1/osquery/enroll
--config_plugin=tls
--config_tls_endpoint=/api/v1/osquery/config
--config_tls_refresh=10
--disable_distributed=false
--distributed_plugin=tls
--distributed_interval=10
--distributed_tls_max_attempts=3
--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read
--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write
--disable_audit=false
--audit_allow_config=true
--audit_persist=true
--audit_allow_sockets

but if I run osquery with

Copy code

--config_plugin=filesystem
--logger_plugin=filesystem
--disable_events=false

it works as expected and writes to file. Any reason the TLS configs would stop the filesystem logging

zwass

01/10/2019, 7:32 PM

What is the config that is being sent over TLS? You can find out if you add

--debug --tls_dump

to the osquery invocation.

lvferdi

01/20/2019, 6:18 PM

ty, I’ll try that

Flngen Flugen

06/26/2019, 12:05 AM

I'm having similar issues. Running fleet on a rancher/kubernetes cluster. I'm managing osquery agents with salt. If config_plugin is not set to tls, the agents fail to enroll. Otherwise they do enroll. My goal is to use fleet for ad-hoc queries, and have osquery agents log to /var/log/osquery/osquery.results. I've modified the fleet options to allow for filesystem logging, however filesystem logging doesn't occur. It seems that even though the tls config and filesystem logging are independent of each other, in my case I haven't been able to get the two to coexist. Any help would be greatly appreciated.

Andrea

02/10/2020, 6:18 PM

Have anyone managed to fix this? noticing the same. if I set

config_plugin

tls

then the

logger_plugin

is set to

tls

too.

zwass

02/10/2020, 6:37 PM

You have to configure Fleet to send the appropriate options.

Andrea

02/11/2020, 10:48 AM

Actually I am testing with the server mock

test_http_server.py

... and the config returned during the test should not override the

logger_plugin

AFAIK. (will double check). Also, debugging the code at

initActivePlugin("logger", FLAGS_logger_plugin);

the second parameter is already

tls

rather than

filesystem

. And it looks like

initActivePlugin

is not considering the case of multiple plugins.

Andrea

02/11/2020, 11:16 AM

This is the flag file:

Copy code

--ephemeral
--disable_enrollment=true
--allow_unsafe=true
--tls_hostname=localhost:1234
--host_identifier=hostname
--extension_autoload=false
--config_plugin=filesystem
--config_path=C:\Users\ftd\AppData\Local\Temp\osquery-test-python-32910\osquery.conf
--logger_plugin=filesystem
--logger_path=C:\Users\ftd\AppData\Local\Temp\osquery-test-python-32910\log
--disable_extensions=true
--disable_watchdog=true
--disable_events=false
--disable_logging=false
--buffered_log_max=100
--pidfile=C:\Users\ftd\AppData\Local\Temp\osquery-test-python-32910\osquery.pidfile
--verbose=true
--honeypot_cache_path=C:\Users\ftd\AppData\Local\Temp\osquery-test-python-32910\honeypot.cache
--honeypot_zip_file_path=C:\Users\ftd\AppData\Local\Temp\osquery-test-python-32910\honeypot.zip
--precise_uuid_path=C:\Users\ftd\AppData\Local\Temp\osquery-test-python-32910\precise.uuid
--debug_mode=false
--senseon_agent_path=C:\Users\ftd\AppData\Local\Temp\osquery-test-python-32910\senseon-agent.exe
--names_distribution_path=C:\Users\ftd\AppData\Local\Temp\osquery-test-python-32910\distributions
--honeytoken_path=C:\Users\ftd\AppData\Local\Temp\osquery-test-python-32910

Then this is the config I read/write:

Copy code

{
  "options": {
    "flagfile": "C:\\Users\\ftd\\AppData\\Local\\Temp\\osquery-test-python-32910\\osquery.flags",
    "database_path": "C:\\Users\\ftd\\AppData\\Local\\Temp\\osquery-tests-python-ftd\\tests.db6053",
    "pidfile": "C:\\Users\\ftd\\AppData\\Local\\Temp\\osquery-test-python-32910\\osquery.pidfile",
    "config_path": "C:\\Users\\ftd\\AppData\\Local\\Temp\\osquery-test-python-32910\\osquery.conf",
    "extensions_autoload": "",
    "extensions_socket": "\\\\.\\pipe\\tests.em8685",
    "extensions_interval": "1",
    "extensions_timeout": "0",
    "watchdog_level": "3",
    "disable_logging": "false",
    "disable_events": "true",
    "force": "true",
    "logger_path": "C:\\Users\\ftd\\AppData\\Local\\Temp\\osquery-test-python-32910\\log",
    "enroll_secret_path": "C:\\Users\\ftd\\AppData\\Local\\Temp\\osquery-test-python-32910\\instruction_enroll_secret",
    "tls_server_certs": "C:\\workspace\\endpoint\\build\\tools\\tests/test_server_ca.pem",
    "disable_distributed": false,
    "enroll_tls_endpoint": "/enroll/fail",
    "config_plugin": "tls",
    "config_tls_endpoint": "/config",
    "config_tls_refresh": 1,
    "config_refresh": 1,
    "config_tls_max_attempts": 0,
    "instructions_read": "/api/endpoints/instructions/read",
    "instructions_return": "/api/endpoints/instructions/return",
    "logger_plugin": "filesystem"
  },
  "schedule": {}
}

so apparently I am overriding

config_plugin

from

filesystem

tls

but not the

logger_plugin

Andrea

02/20/2020, 5:38 PM

I solved it. It was a strange behaviour from a wrong flags config on my end. Thank you.

2 Views

Open in Slack

Previous Next