Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
t
Tom Frost
09/19/2018, 9:06 AMStarting and started successfully.
m
Mustafa
09/19/2018, 10:24 AMyou probably checked attributes of the service….
Path to executable: …
I’m not sure if it works for you but you can try to kill all the instance of the service / processes that running and delete the osqueryd service itself and create a new osqueryd service using a cmd command or a powershell script
t
Tom Frost
09/19/2018, 10:47 AMYes, I did all of that.
And when I start it with the -S option manually, it works well.
So I expect something with permissions or what - but I can´t make it to log anywhere.
z
zwass
09/19/2018, 1:59 PMIf you can get some logs we can help you debug. I'm not super familiar with Windows to figure out how to do that.
t
Tom Frost
09/20/2018, 6:55 AMThat´s the problem - if I had any logs, I could start troubleshooting, but where to get them? Log directory is empty, when I tried to change logger_plugin in flagfile, it does not do anything. I suspect that the service is not correctly starting, but I don´t know where to look.
m
Mustafa
09/20/2018, 7:42 AMYou say that if you start Osquery manually everything is OK. (i understand that you start it from CMD). in this case there should be a problem with the service. Did you try to delete the service and set again? You can delete the service using the Autoruns tool and then you can create a new Osquery service using this command: (from cmd)
sc.exe create osqueryd type= own start= auto error= normal binpath= “C:\ProgramData\osquery\osqueryd\osqueryd.exe --flagfile=\ProgramData\osquery\osquery.flags” displayname= ‘osqueryd’
hmm pardon you said that you did…
t
Tom Frost
09/20/2018, 7:46 AMYes, I did.
If only I can talk it into dropping some logs...
m
Mustafa
09/20/2018, 8:00 AMcan you share the service’s attribute under the “path to executable” you can see above. Also can you share the command you use in CMD , and lastly your flag file ?
t
Tom Frost
09/20/2018, 9:37 AMPS C:\ProgramData\osquery\osqueryd> .\osqueryd.exe --flagfile=C:\ProgramData\osquery\osquery.flags --verbose -S
That works.
That is strange. It seems that every time I make some adjustment in flagfile, osquery does load the original version so no changes are actually made.
Can Kolid Fleet actually overwrite the flags? It seems that no matter what change I do in the flagfile, the same version gets loaded or pushed.
Not that it matters much in this case, as the flags are obviously correct.
m
Mustafa
09/20/2018, 12:29 PMyes, kolide override the value if same flags sets on both kolide fleet and agent’s flag file
Check that please also your osquery.flags file maynot be formatted correctly. (UTFxx)
t
Tom Frost
09/20/2018, 12:33 PMIt is, when I run it from command line, it takes the flagfile with no problem.
Also I use the installer that works on other systems. And it was working here too since few days ago.
But I can´t figure out what might have happened there.