https://github.com/osquery/osquery logo
Join Slack
Powered by
<@UBWUZESLB> osquery logs those to where you have ...
# kolide
b
@R0n osquery logs those to where you have your logger_plugin configured to.
r
they get log in the hosts? not sure where the logger_plugin gets set
b
You can set the logger_plugin either from fleet or from your osquery.flags file.
r
Copy code
osquery:
  node_key_size: 24
  status_log_file: /tmp/osquery_status
  result_log_file: /tmp/osquery_result
  enable_log_rotation: false
  label_update_interval: 1h0m0s
?
b
Do you have logger_plugin set? I don’t know what it defaults to.
r
probably not
if its not showing in conf dump
i did not setup the fleet, so im not sure how it got setup
b
Gotcha. I would look to add a logger_plugin value, you can use TLS if you want the osquery logs to log to your fleet server of “filesystem” if you want the endpoints to log locally.
If you do have them log locally make sure to set logger_path and logger_mode isn’t a bad idea either.
r
how do u set those loggers?
fleetctl config set ?
b
fleetctl apply options
You have to build your full options file. I would suggest grabbing what you have and writing it out to a file. Then adding what you need to a copy of that new file and applying the revised one.
This way you have a copy of your existing options and can apply those back if necessary.
r
👍
similar to this one https://github.com/kolide/fleet/blob/master/examples/config-single-file.yml rightt? do you know the location of the current one?
fleet config_dump
the location of that yaml i get after running config_dump
i think i got it. ty for ur help
7 Views
Open in Slack
PreviousNext
Powered by