https://github.com/osquery/osquery logo
Powered by
Title
b

benbass

10/31/2018, 3:23 PM
@R0n osquery logs those to where you have your logger_plugin configured to.
r

R0n

10/31/2018, 4:01 PM
they get log in the hosts? not sure where the logger_plugin gets set
b

benbass

10/31/2018, 4:07 PM
You can set the logger_plugin either from fleet or from your osquery.flags file.
r

R0n

10/31/2018, 4:39 PM
osquery:
  node_key_size: 24
  status_log_file: /tmp/osquery_status
  result_log_file: /tmp/osquery_result
  enable_log_rotation: false
  label_update_interval: 1h0m0s
?
b

benbass

10/31/2018, 4:47 PM
Do you have logger_plugin set? I don’t know what it defaults to.
r

R0n

10/31/2018, 5:00 PM
probably not
if its not showing in conf dump
i did not setup the fleet, so im not sure how it got setup
b

benbass

10/31/2018, 5:42 PM
Gotcha. I would look to add a logger_plugin value, you can use TLS if you want the osquery logs to log to your fleet server of “filesystem” if you want the endpoints to log locally.
If you do have them log locally make sure to set logger_path and logger_mode isn’t a bad idea either.
r

R0n

10/31/2018, 6:15 PM
how do u set those loggers?
fleetctl config set ?
b

benbass

10/31/2018, 7:30 PM
fleetctl apply options
You have to build your full options file. I would suggest grabbing what you have and writing it out to a file. Then adding what you need to a copy of that new file and applying the revised one.
This way you have a copy of your existing options and can apply those back if necessary.
r

R0n

10/31/2018, 7:44 PM
👍
similar to this one https://github.com/kolide/fleet/blob/master/examples/config-single-file.yml rightt? do you know the location of the current one?
fleet config_dump
the location of that yaml i get after running config_dump
i think i got it. ty for ur help
7 Views
#kolideJoin Slack
Powered by