https://github.com/osquery/osquery logo
Powered by
#kolide
Title
t

Tom Frost

09/19/2018, 9:06 AM
Starting and started successfully.
m

Mustafa

09/19/2018, 10:24 AM
you probably checked attributes of the service….
Path to executable: …
I’m not sure if it works for you but you can try to kill all the instance of the service / processes that running and delete the osqueryd service itself and create a new osqueryd service using a cmd command or a powershell script
t

Tom Frost

09/19/2018, 10:47 AM
Yes, I did all of that.
And when I start it with the -S option manually, it works well.
So I expect something with permissions or what - but I can´t make it to log anywhere.
z

zwass

09/19/2018, 1:59 PM
If you can get some logs we can help you debug. I'm not super familiar with Windows to figure out how to do that.
t

Tom Frost

09/20/2018, 6:55 AM
That´s the problem - if I had any logs, I could start troubleshooting, but where to get them? Log directory is empty, when I tried to change logger_plugin in flagfile, it does not do anything. I suspect that the service is not correctly starting, but I don´t know where to look.
m

Mustafa

09/20/2018, 7:42 AM
You say that if you start Osquery manually everything is OK. (i understand that you start it from CMD). in this case there should be a problem with the service. Did you try to delete the service and set again? You can delete the service using the Autoruns tool and then you can create a new Osquery service using this command: (from cmd) sc.exe create osqueryd type= own start= auto error= normal binpath= “C:\ProgramData\osquery\osqueryd\osqueryd.exe --flagfile=\ProgramData\osquery\osquery.flags” displayname= ‘osqueryd’
hmm pardon you said that you did…
t

Tom Frost

09/20/2018, 7:46 AM
Yes, I did.
If only I can talk it into dropping some logs...
m

Mustafa

09/20/2018, 8:00 AM
can you share the service’s attribute under the “path to executable” you can see above. Also can you share the command you use in CMD , and lastly your flag file ?
t

Tom Frost

09/20/2018, 9:37 AM
PS C:\ProgramData\osquery\osqueryd> .\osqueryd.exe --flagfile=C:\ProgramData\osquery\osquery.flags --verbose -S
That works.
That is strange. It seems that every time I make some adjustment in flagfile, osquery does load the original version so no changes are actually made.
Can Kolid Fleet actually overwrite the flags? It seems that no matter what change I do in the flagfile, the same version gets loaded or pushed.
Not that it matters much in this case, as the flags are obviously correct.
m

Mustafa

09/20/2018, 12:29 PM
yes, kolide override the value if same flags sets on both kolide fleet and agent’s flag file
Check that please also your osquery.flags file maynot be formatted correctly. (UTFxx)
t

Tom Frost

09/20/2018, 12:33 PM
It is, when I run it from command line, it takes the flagfile with no problem.
Also I use the installer that works on other systems. And it was working here too since few days ago.
But I can´t figure out what might have happened there.
2 Views
Powered by