I try to connect osquery in window server to kolide fleet. The osqueryd service created successfully but nothing appear on my kolide fleet dashboard.
I created the service through:
sc.exe create osqueryd type= own start= auto error= normal binpath= "C:\Program Files\osquery\osqueryd\osqueryd.exe --flagfile=\Program Files\osquery\osquery.flags" displayname= 'osqueryd'
sc.exe start osqueryd
My osquery.flags
--enroll_secret_path="C:\Users\xxx\Desktop\Secret\enroll_secret.txt"
--tls_server_certs="C:\Users\xxx\Desktop\Secret\certiticate.cer"
--tls_hostname=127.0.0.1:8080
--host_identifier=uuid
--enroll_tls_endpoint=/api/v1/osquery/enroll
--config_plugin=tls
--config_tls_endpoint=/api/v1/osquery/config
--config_refresh=10
--disable_distributed=false
--distributed_plugin=tls
--distributed_interval=3
--distributed_tls_max_attempts=3
--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read
--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write
--logger_plugin=tls
--logger_tls_endpoint=/api/v1/osquery/log
--logger_tls_period=10
I have no idea how to change the flag command to suit window service
The best way to debug this kind of issue is to test out your configuration by running osqueryd manually, rather than as a service. This will let you see the logs and get your settings correct before setting up the service.
You'll want to use the following command in Powershell:
& 'C:\Program Files\osquery\osqueryd\osqueryd.exe' --flagfile='\Program Files\osquery\osquery.flags'
Now that you can see the output from osqueryd, you may be able to determine the issue. If not, add the --verbose --tls_dump flags and you will have further output to work with:
& 'C:\Program Files\osquery\osqueryd\osqueryd.exe' --flagfile='\Program Files\osquery\osquery.flags' --verbose --tls_dump
Use this to debug your issue, setting the flagfile appropriately. Once you have done so, you should be able to start up the service using the same flagfile and have it connect successfully.