launcher
launcher copied to clipboard
kolide
launcher log types should match osquery-go ones.
In osquery-go we have an enum for logs:
//LogType encodes the type of log osquery is outputting.
type LogType int
const (
LogTypeString LogType = iota
LogTypeSnapshot
LogTypeHealth
LogTypeInit
LogTypeStatus
)
But the launcher sends both string and snapshot logs as Result
switch req.LogType {
case logger.LogTypeStatus:
typ = kolide_agent.LogCollection_STATUS
case logger.LogTypeString, logger.LogTypeSnapshot:
typ = kolide_agent.LogCollection_RESULT
default:
typ = kolide_agent.LogCollection_AGENT
}
This makes it difficult for a server to implement the osquery-go enum as it needs to split the result type back into two.
additional note: the launcher adds LogCollection_AGENT, which is not there in the osquery-go logtype.
This means that the go-kit launcher can't use the logger from the osquery-go plugin.
My 2c are that we should make everything for the PublishLogs endpoint consistent across osquery-go plugin, launcher and servers and add a separate endpoint for launcher logs if we need to.
- to be consistent with osquery logger
- someone listening on the PublishLogs endpoint is expecting data from osquery, not debug information from the launcher. We should threat the two types of logs separately.
#101 appears to still be a problem with fleet
snapshot {"s":"0","f":"events.cpp","i":"824","m":"Event publisher not enabled: event_tapping: Publisher disabled via configuration","h":"FA01680E-98CA-5557-8F59-7716ECFEE964","c":"Sat Nov 18 23:31:28 2017 UTC","u":"1511047888"}
snapshot {"s":"0","f":"events.cpp","i":"824","m":"Event publisher not enabled: openbsm: Publisher disabled via configuration","h":"FA01680E-98CA-5557-8F59-7716ECFEE964","c":"Sat Nov 18 23:31:28 2017 UTC","u":"1511047888"}
snapshot {"s":"0","f":"events.cpp","i":"824","m":"Event publisher not enabled: scnetwork: Publisher not used","h":"FA01680E-98CA-5557-8F59-7716ECFEE964","c":"Sat Nov 18 23:31:28 2017 UTC","u":"1511047888"}
snapshot {"s":"0","f":"distributed.cpp","i":"133","m":"Executing distributed query: kolide_detail_query_network_interface: select * from interface_details id join interface_addresses ia\n on ia.interface = id.interface where broadcast != \"\"\n order by (ibytes + obytes) desc","h":"FA01680E-98CA-5557-8F59-7716ECFEE964","c":"Sat Nov 18 23:31:28 2017 UTC","u":"1511047888"}
snapshot {"s":"0","f":"distributed.cpp","i":"133","m":"Executing distributed query: kolide_detail_query_os_version: select * from os_version limit 1","h":"FA01680E-98CA-5557-8F59-7716ECFEE964","c":"Sat Nov 18 23:31:28 2017 UTC","u":"1511047888"}
in fleet's PublishLogs method:
case logger.LogTypeSnapshot, logger.LogTypeString:
for _, log := range logs {
results = append(results, []byte(log))
}
only logTypeString is an actual osquery log.
nvm, this is a problem in fleet, because fleet is not up to date with launcher master...
The launcher status logs are so spartan compared to osquery:
{
"s": "0",
"f": "scheduler.cpp",
"i": "75",
"m": "Executing scheduled query pack/test/hosts: SELECT * FROM etc_hosts;",
"h": "FA01680E-98CA-5557-8F59-7716ECFEE964",
"c": "Tue Dec 12 01:04:10 2017 UTC",
"u": "1513040650"
}
{
"s": "0",
"f": "scheduler.cpp",
"i": "75",
"m": "Executing scheduled query pack/test/hosts: SELECT * FROM etc_hosts;",
"h": "FA01680E-98CA-5557-8F59-7716ECFEE964",
"c": "Tue Dec 12 01:04:21 2017 UTC",
"u": "1513040661"
}
