-
-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Debugging syslog table configuration #1964
Comments
I am struggling to fix syslog table, still nothing is being populated on syslog table. The log shows
|
shouldn't that be |
@jacknagz Yes, will correct above. |
@my-janala Come on over to the osquery Slack if you would like more help debugging. You can catch my attention by mentioning me with @zwass in there. |
@zwass The steps for debugging syslog table is nice one. I am also facing the same issue but with syslog-ng. In my case syslogs do logged in the file /var/log/osquery/osqueryd.results.log if i use system() in syslog-ng source but not pipe as a source. Obviously syslogs does not appear in the table syslog. The name pipe has been created and syslog-ng is running as root:adm. Although i have checked with root:root as well.
There is no error in /var/log/syslog as well. I am using Ubuntu 16.10 and not firewall is running. |
@DwijadasDey I don't understand the issue you are experiencing. Please join the osquery Slack if you would like more help debugging. You can catch my attention by mentioning me with @zwass in there. |
If anyone is interested in in using the |
This issue attempts to help debug configuration errors with the Linux
syslog
table.osquery reads syslog logs from
rsyslogd
via a named pipe. This pipe, andrsyslogd
must be configured properly in order to query syslog.Debugging Suggestions
--enable_syslog
flag (as well as--disable_events=false
when using withosqueryi
).verbose
configuration flag)./var/osquery/
(or the directory you used forsyslog_pipe_path
) exist? Is it read/writeable by the osquery process?/var/osquery/syslog_pipe
(or the path you used forsyslog_pipe_path
) exist? Is it readable by the osquery process?syslog
table:Check the permissions of the pipe file:
rsyslogd
runs as usersyslog
(default Ubuntu setup):rsyslogd
runs as userroot
:Make sure that
rsyslogd
is able to write to the pipe.cat /var/osquery/syslog_pipe
(or the path you used forsyslog_pipe_path
).logger
utility in your shell:logger "test log foo"
. Did the output show up in the shell runningcat
?If the above steps fail:
rsyslogd
is properly configured to write to the pipe. See the configuration docs.rsyslogd
:sudo service rsyslog restart
.rsyslogd
report any errors in/var/log/syslog
?Other considerations
The text was updated successfully, but these errors were encountered: