https://github.com/osquery/osquery logo
#fleet
Title
# fleet
y

Yash Boura

08/10/2021, 6:37 PM
One quick question, can we change the frequency of schedule queries less than 1 hour just to test?
j

Jocelyn Bothe

08/10/2021, 7:11 PM
queries are scheduled in seconds, so you can schedule them as frequently as you like. We run some queries every 60 seconds in our setup
👍 1
s

Sarah Gillespie

08/10/2021, 7:38 PM
Hi Yash, from the "Schedule" page, the "Advanced" button will take you to where you can create query packs and set your own custom frequency that is scheduled in seconds as Jocelyn noted above.
👍 1
m

Mystery Incorporated

08/11/2021, 3:13 AM
I run some queries every 5 seconds, YOLO
👍 1
y

Yash Boura

08/11/2021, 5:55 AM
Well thanks!
@Mystery Incorporated where can you see your scheduled queries running, for eg. I can see the live queries running in my console but can't see the scheduled queries running in my console.
m

Mystery Incorporated

08/11/2021, 6:20 AM
@Yash Boura they go in results.log and get ingested to my SIEM. I'm reporting on them using a kibana dashboard. I don't recommend kibana tho, it's highly inflexible and generally rubbish, I'd like to transfer to a different dashboarding tool at some stage.
y

Yash Boura

08/11/2021, 6:29 AM
@Mystery Incorporated I'll be going with kafka producer for listening to logs. But rn I'm on windows, and the result.log just shows me the host detail I'm connected too.
m

Mystery Incorporated

08/11/2021, 6:30 AM
@Yash Boura you running some snapshot queries?
If they are differential queries and nothing changes there will be no results
y

Yash Boura

08/11/2021, 6:31 AM
@Mystery Incorporated I'm running two snapshot and one differential query
maybe tls logger plugin giving me some issues
m

Mystery Incorporated

08/11/2021, 6:33 AM
Yeh run osqueryd from the console in windows see if you see anything
I have noticed many situations where osquery just fails and doesn't log anything..... logging definitely leaves something wanting.
y

Yash Boura

08/11/2021, 6:38 AM
Got the issue , getting this when running osqueryd from console.
Cannot activate filesystem logger plugin: Could not create file: \Program Files\osquery\log\osqueryd.results.log
m

Mystery Incorporated

08/11/2021, 6:52 AM
@Yash Boura if you're using TLS it shouldn't even be trying to use filesystem, I think you maybe have BOTH filesystem and TLS declared as logging types, try remove the filesystem see if it works.
y

Yash Boura

08/11/2021, 7:10 AM
@Mystery Incorporated tried it no luck.
m

Mystery Incorporated

08/11/2021, 7:17 AM
@Yash Boura same error? Also delete any osquery.conf file
y

Yash Boura

08/11/2021, 7:27 AM
@Mystery Incorporated osquery.conf is a required file right?
m

Mystery Incorporated

08/11/2021, 7:27 AM
@Yash Boura nope, use only the flags file delete it
y

Yash Boura

08/11/2021, 7:35 AM
@Mystery Incorporated I'm kinda confused. I start my osqueryd along with flag files only.
m

Mystery Incorporated

08/11/2021, 7:36 AM
So what? delete the .conf file because by default osquery looks for flags and conf at default paths
With fleet it pushes the config that overrides the .conf file but if it's not connecting to fleet then it's probably trying to use the default .conf file which would exactly be the reason why it's still trying to log to filesystem despite you removing that from flags.
👍 1
y

Yash Boura

08/11/2021, 7:42 AM
@Mystery Incorporated cool, on it
@Mystery Incorporated working now!
m

Mystery Incorporated

08/11/2021, 10:25 AM
Told ya 😛
😊 1
4 Views