Starting and started successfully.
# kolidet
Tom Frost
09/19/2018, 9:06 AMStarting and started successfully.
m
Mustafa
09/19/2018, 10:24 AMyou probably checked attributes of the service….
Mustafa
09/19/2018, 10:24 AMPath to executable: …
Mustafa
09/19/2018, 10:24 AMMustafa
09/19/2018, 10:30 AMI’m not sure if it works for you but you can try to kill all the instance of the service / processes that running and delete the osqueryd service itself and create a new osqueryd service using a cmd command or a powershell script
t
Tom Frost
09/19/2018, 10:47 AMYes, I did all of that.
Tom Frost
09/19/2018, 10:48 AMAnd when I start it with the -S option manually, it works well.
Tom Frost
09/19/2018, 10:59 AMSo I expect something with permissions or what - but I can´t make it to log anywhere.
z
zwass
09/19/2018, 1:59 PM
If you can get some logs we can help you debug. I'm not super familiar with Windows to figure out how to do that.
t
Tom Frost
09/20/2018, 6:55 AMThat´s the problem - if I had any logs, I could start troubleshooting, but where to get them? Log directory is empty, when I tried to change logger_plugin in flagfile, it does not do anything. I suspect that the service is not correctly starting, but I don´t know where to look.
m
Mustafa
09/20/2018, 7:42 AMYou say that if you start Osquery manually everything is OK. (i understand that you start it from CMD). in this case there should be a problem with the service. Did you try to delete the service and set again? You can delete the service using the Autoruns tool and then you can create a new Osquery service using this command: (from cmd)
sc.exe create osqueryd type= own start= auto error= normal binpath= “C:\ProgramData\osquery\osqueryd\osqueryd.exe --flagfile=\ProgramData\osquery\osquery.flags” displayname= ‘osqueryd’
Mustafa
09/20/2018, 7:44 AMhmm pardon you said that you did…
t
Tom Frost
09/20/2018, 7:46 AMYes, I did.
Tom Frost
09/20/2018, 7:47 AMIf only I can talk it into dropping some logs...
m
Mustafa
09/20/2018, 8:00 AMcan you share the service’s attribute under the “path to executable” you can see above. Also can you share the command you use in CMD , and lastly your flag file ?
t
Tom Frost
09/20/2018, 9:37 AMTom Frost
09/20/2018, 9:38 AMPS C:\ProgramData\osquery\osqueryd> .\osqueryd.exe --flagfile=C:\ProgramData\osquery\osquery.flags --verbose -S
Tom Frost
09/20/2018, 9:38 AMThat works.
Tom Frost
09/20/2018, 11:04 AMThat is strange. It seems that every time I make some adjustment in flagfile, osquery does load the original version so no changes are actually made.
Tom Frost
09/20/2018, 11:19 AMCan Kolid Fleet actually overwrite the flags? It seems that no matter what change I do in the flagfile, the same version gets loaded or pushed.
Tom Frost
09/20/2018, 11:23 AMNot that it matters much in this case, as the flags are obviously correct.
m
Mustafa
09/20/2018, 12:29 PMyes, kolide override the value if same flags sets on both kolide fleet and agent’s flag file
Mustafa
09/20/2018, 12:31 PMCheck that please also your osquery.flags file maynot be formatted correctly. (UTFxx)
t
Tom Frost
09/20/2018, 12:33 PMIt is, when I run it from command line, it takes the flagfile with no problem.
Tom Frost
09/20/2018, 12:34 PMAlso I use the installer that works on other systems. And it was working here too since few days ago.
Tom Frost
09/20/2018, 12:35 PMBut I can´t figure out what might have happened there.
2 Views