When i run

osqueryd.exe

as a process I am able to enroll my windows host. But when i configure a

service

. Same host doesn't come online in my Kolide web console. I have also enabled

Windows Event Log support

as described here. Event logs also doesn't show any entries. Where to look for further troubleshooting? PS: I'm using

manage-osqueryd.ps1

for configuring the my service.

You need to make sure you are running the service with the same configuration as the process. Try putting all the flags you are using for the process into a flagfile and then providing that to the service.

Thanks @zwass I made sure. It's the exact same flag file. Shouldn't there be a better way to diagnose? Am I missing something...are there any logs that I can look at? like when you run

osqueryd

as a process i can add

--verbose

flag and see tons of logs on console screen. Where did these logs go when I run it as a service?

IIRC windows services don't really provide a good mechanism for debugging.

Yes. The service is running. And yes providing the absolute path as well. I am suspecting there might be some issue with using quote around the path at certain places. (Did some search on previous posts in this channel) For ex: I was earlier using double quotes for

--tls_server_certs

it certificate validation was failing. Removed rhe double quotes and it worked fine. But for

--extentions_autoload

I had to use double quotes else

osqueryd

would print our a lot of incoherent output on the screen. So Right now I'm using one flag with double quotes and one without. I'm not sure if this is the right direction or I'm just going crazy.

Are those flags in a flagfile or are you passing them directly to the invocation of osqueryd?

Everything in a flag file @zwass.