#general - Hello, has osquery changed how

Home Docs

Join the conversation Join Slack

Channels

j
JohnM
11 months ago
Hello, has osquery changed how osqueryd.results.log works? It now uses a sticky bit and I can't find any documentation to what changed? I am struggling to change these permissions as the daemon keeps changing it back which means I can't log my results into splunk. Thanks
s
seph
11 months ago
I don't think we merged something that would change this. Is this an issue with the enclosing directory? Does the sticky but cover files?
Though.. https://github.com/osquery/osquery/pull/7015 did change some of logging
Are you using the logger-mode flag?
j
JohnM
11 months ago
Hello Seph. Within my osquery.conf file I have "logger_mode": "644"
I am running all my conf within the osquery.conf file and it looks like the daemon is using an osquery.flags file. Could that be an issue?
Stefano Bonicatti
11 months ago
Beware that gflags doesn't parse octal, and normally you would have to write it as
```
0644
```
. Though for instance the documentation makes an example with
```
--logger_mode=420
```
because that's the decimal value of the octal
```
0644
```
So you need to use
```
--logger_mode=420
```
, while the default right now is
```
--logger_mode=416
```
Also the documentation has to be corrected
s
seph
11 months ago
I think we should fix the parsing. not the documentation. But we can chat in the PR
j
JohnM
11 months ago
They documentation does state "_File mode for output log files by the *filesystem* plugin (provided as an octal string)._" I must have missed that out, thanks for the help.
Stefano Bonicatti
11 months ago
ah yeah, but still, the
```
octal string
```
part is incorrect, because if so it would accept
```
0644
```
or
```
644
```
and always parse it as an octal, it’s instead parsing it in base 10, so as a decimal.

Join thread in Slack

View count: 2