https://github.com/osquery/osquery logo
Powered by
Title
z

zwass

12/18/2018, 12:19 AM
What are the contents of /etc/osquery/osquery-local.conf?
k

Konstantin

12/18/2018, 4:17 AM
root@hq-o:/etc/osquery# cat osquery-local.conf
{
  "schedule": {
    "process_events": {
      "query": "SELECT * FROM process_events;",
      "interval": 10,
      "snapshot" : false
    }
  },

  "decorators": {
    "load": [
      "SELECT uuid AS host_uuid FROM system_info;",
      "SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
    ]
  }
}
z

zwass

12/18/2018, 4:29 AM
It looks to me like Fleet is sending down a correct config, so I suspect this might be a bug in osquery. A couple things to check: 1) Does osquery with a local config work when you specify 
--logger_plugin='syslog,filesystem'
2) Does osquery with the Fleet config work if you set 
logger_plugin
to just 
syslog
?
#kolideJoin Slack
Powered by