https://github.com/osquery/osquery logo
Powered by
#general
Title
# general
t

Tao Jiang

06/24/2020, 3:27 PM
Hi all, I need some helps on getting logger plugin working. I tried https://github.com/osquery/osquery-python/blob/master/examples/foobar_logger.ext using command “python .\foobar_logger.ext --socket \\.\pipe\osquery.em” to attach osqueryd but nothing was logged. Thx!
t

theopolis

06/24/2020, 4:38 PM
Hi Tao, how are you starting the osquery process? osquery will have to know what logger plugin you want to use, for example with 
--logger_plugin foobar_logger
t

Tao Jiang

06/24/2020, 4:41 PM
Does that mean logger plugin works differently than table plugin? For table plugin, I can attach to osqueryd later. I had thought I can do the same as logger plugin.
Our osqueryd is configured as windows service. ‘’'`sc.exe create osqueryd type= own start= auto error= normal binpath= "E:\osquery\osqueryd\osqueryd.exe --flagfile=E:\osquery\osquery.flags"` 
displayname= 'osqueryd'
sc.exe start osqueryd
Since we are primarily running with osqueryd, we have to update osquery.conf file by adding foobar_logger. Also, update osquery.flags by add --extensions_timeout=600 --extensions_require=foobar_logger to let osqueryd enough time to wait for logger to start because logger cannot start/attach to socket until osqueryd started. This is quite awkward process.
If logger plugin can work the same way as table plugin even need to use ExtensionClient to activate the logger, it will be much better and robust approach.
t

theopolis

06/24/2020, 10:18 PM
Instead of launching the extension separately, use the auto load feature https://osquery.readthedocs.io/en/latest/deployment/extensions/
With auto loading, you should be able to keep the default timeout.
t

Tao Jiang

06/25/2020, 3:21 AM
Thanks! However, there are a few concerns on this approach. 1. what if extension crashes, this only option will be restarting osquery. 2. we’d like to use osquery as universal data collection agent and pass data to downstream components for some processing before data shipping to cloud. It will be hard to model the downstream component as a logger.
I found tls config/logger could be much better alternative. https://github.com/osquery/osquery/issues/940
20 Views
Powered by