Search code examples
osquery

Custom Logger plugin not receiving the logs from osquery

Custom logger plugin is written using osquery-go. When the osquery daemon is auto-loaded with this extension, then the logs are received by the custom logger plugin.

But if the osqueryd is running as a daemon and custom logger plugin is run independently, then it is not receiving the logs from osqueryd.

  1. Implemented a custom logger plugin using osquery-go. https://github.com/osquery/osquery-go#creating-logger-and-config-plugins. After receiving the log, it just prints the event.
  2. Build this logger with .ext and changed the owner to 'root' & gave appropriate permissions
  3. Configured osqueryd to capture file-events
  4. Started the osquery daemon.
  5. Ran the .ext --socket /var/osquery/osquery.em --timeout 3
  6. In the /var/log/osquery/osqueryd.INFO can see that registered to osquery daemon.
  7. When any file activity is done, can see the FILE_EVENTS in /var/log/osquery/osqueryd.results.log but same result is not seen in the custom logger plugin which is also registered to osquery daemon.

If the osquery daemon is run using auto load extension, then the extension receives the FILE_EVENTS log.

When osqueryd and extension are running as separate process, then why isn't the osqueryd not redirecting the logs to extension?

Environment: MacOS Monterey. Have added both osquery and the custom logger extension in Security Preferences -> Full Disk Access

Solution

  • Generally, I would expect this pattern to work... However, I see a couple of things you did not discuss.

    Running the extension registers it with osquery. As you point out, it's in the logs. You should be able to confirm this inside osquery, with select * from osquery_registry where registry = 'logger';. (Note that you need to use osqueryi --connect to connect to the socket of the osqueryd to see what's registered with it)

    However, just being registered with osquery does not configure osquery to send logs there. You will also need to configure the logger appropriately. Take a look at the CLI flags --logger_plugin and --extensions_require. The former sets the logger to use, and the latter tells osquery to wait for an extension. Otherwise, osquery will try to configure the logger before your extension is in place.