Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
p
Prash
11/07/2018, 7:47 AMHi , I know that Kolide server can log the results osquery agents in a central log file. May I know where I can I see those logs? My osquery_result is empty
j
joncrain
11/07/2018, 2:18 PMCheck this out! https://github.com/kolide/fleet/blob/master/docs/infrastructure/working-with-osquery-logs.md
Basically, default is
/tmp/osquery_resultp
Prash
11/07/2018, 2:36 PMThank you .. Will check
j
joncrain
11/07/2018, 2:42 PMAlso, check to see if you have anything scheduled to run 🙂
I think I've loaded packs in the past, but not enabled them and that's why I was not getting results...
p
Prash
11/07/2018, 2:48 PMHey Joncrain.. No luck ..
can you kindly let me know which config file I should check ?
j
joncrain
11/07/2018, 2:52 PMthe config file may or may not be used. it's just the config that's used to startup fleet. https://github.com/kolide/fleet/blob/master/docs/infrastructure/configuring-the-fleet-binary.md
can you verify that its running? run something like
ps aux | grep fleetp
Prash
11/07/2018, 2:53 PMyes it is
j
joncrain
11/07/2018, 2:54 PMdo you have any packs installed?
p
Prash
11/07/2018, 2:55 PMI did the same way .. I passed --osquery_result_log_file flag while staring fleet
no I did not install any flag
I am just running query from GUI
j
joncrain
11/07/2018, 2:58 PMsomeone from kolide may have to verify this, but I don't think adhoc queries get logged to the results file
you could save a query, create a new pack, enable it and add a host to check this
p
Prash
11/07/2018, 3:00 PMohh is it .. will try running packs
I just created a sample pack and it is in enabled state
How should I run the packs now
j
joncrain
11/07/2018, 3:07 PMtake a look at this: https://github.com/kolide/fleet/blob/master/docs/dashboard/scheduling-queries.md
p
Prash
11/07/2018, 3:13 PMIt is very helpfull
Will check all the docs
before that I see some results in osquery_status
I guess its coming from the default osqueryd query which I have removed