lvferdi
01/10/2019, 6:44 PMtls
when running this flagfile I get no logs written to /var/log/osquery/osqueryd.results.log
--logger_path=/var/log/osquery/
--logger_plugin=filesystem
--disable_events=false
--enroll_secret_path=/etc/osquery/enrollment_secret
--tls_hostname=<http://mykolide.com|mykolide.com>
--host_identifier=hostname
--enroll_tls_endpoint=/api/v1/osquery/enroll
--config_plugin=tls
--config_tls_endpoint=/api/v1/osquery/config
--config_tls_refresh=10
--disable_distributed=false
--distributed_plugin=tls
--distributed_interval=10
--distributed_tls_max_attempts=3
--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read
--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write
--disable_audit=false
--audit_allow_config=true
--audit_persist=true
--audit_allow_sockets
but if I run osquery with --config_plugin=filesystem
--logger_plugin=filesystem
--disable_events=false
it works as expected and writes to file. Any reason the TLS configs would stop the filesystem loggingzwass
--debug --tls_dump
to the osquery invocation.lvferdi
01/20/2019, 6:18 PMFlngen Flugen
06/26/2019, 12:05 AMAndrea
02/10/2020, 6:18 PMconfig_plugin
to tls
then the logger_plugin
is set to tls
too.zwass
Andrea
02/11/2020, 10:48 AMtest_http_server.py
... and the config returned during the test should not override the logger_plugin
AFAIK. (will double check). Also, debugging the code at initActivePlugin("logger", FLAGS_logger_plugin);
the second parameter is already tls
rather than filesystem
. And it looks like initActivePlugin
is not considering the case of multiple plugins.--ephemeral
--disable_enrollment=true
--allow_unsafe=true
--tls_hostname=localhost:1234
--host_identifier=hostname
--extension_autoload=false
--config_plugin=filesystem
--config_path=C:\Users\ftd\AppData\Local\Temp\osquery-test-python-32910\osquery.conf
--logger_plugin=filesystem
--logger_path=C:\Users\ftd\AppData\Local\Temp\osquery-test-python-32910\log
--disable_extensions=true
--disable_watchdog=true
--disable_events=false
--disable_logging=false
--buffered_log_max=100
--pidfile=C:\Users\ftd\AppData\Local\Temp\osquery-test-python-32910\osquery.pidfile
--verbose=true
--honeypot_cache_path=C:\Users\ftd\AppData\Local\Temp\osquery-test-python-32910\honeypot.cache
--honeypot_zip_file_path=C:\Users\ftd\AppData\Local\Temp\osquery-test-python-32910\honeypot.zip
--precise_uuid_path=C:\Users\ftd\AppData\Local\Temp\osquery-test-python-32910\precise.uuid
--debug_mode=false
--senseon_agent_path=C:\Users\ftd\AppData\Local\Temp\osquery-test-python-32910\senseon-agent.exe
--names_distribution_path=C:\Users\ftd\AppData\Local\Temp\osquery-test-python-32910\distributions
--honeytoken_path=C:\Users\ftd\AppData\Local\Temp\osquery-test-python-32910
Then this is the config I read/write:
{
"options": {
"flagfile": "C:\\Users\\ftd\\AppData\\Local\\Temp\\osquery-test-python-32910\\osquery.flags",
"database_path": "C:\\Users\\ftd\\AppData\\Local\\Temp\\osquery-tests-python-ftd\\tests.db6053",
"pidfile": "C:\\Users\\ftd\\AppData\\Local\\Temp\\osquery-test-python-32910\\osquery.pidfile",
"config_path": "C:\\Users\\ftd\\AppData\\Local\\Temp\\osquery-test-python-32910\\osquery.conf",
"extensions_autoload": "",
"extensions_socket": "\\\\.\\pipe\\tests.em8685",
"extensions_interval": "1",
"extensions_timeout": "0",
"watchdog_level": "3",
"disable_logging": "false",
"disable_events": "true",
"force": "true",
"logger_path": "C:\\Users\\ftd\\AppData\\Local\\Temp\\osquery-test-python-32910\\log",
"enroll_secret_path": "C:\\Users\\ftd\\AppData\\Local\\Temp\\osquery-test-python-32910\\instruction_enroll_secret",
"tls_server_certs": "C:\\workspace\\endpoint\\build\\tools\\tests/test_server_ca.pem",
"disable_distributed": false,
"enroll_tls_endpoint": "/enroll/fail",
"config_plugin": "tls",
"config_tls_endpoint": "/config",
"config_tls_refresh": 1,
"config_refresh": 1,
"config_tls_max_attempts": 0,
"instructions_read": "/api/endpoints/instructions/read",
"instructions_return": "/api/endpoints/instructions/return",
"logger_plugin": "filesystem"
},
"schedule": {}
}
so apparently I am overriding config_plugin
from filesystem
to tls
but not the logger_plugin
.