Couldn't execute osquery (osqueryd)
475 views
Skip to first unread message
Bonifacio Acebedo Jr.
Oct 5, 2021, 3:10:24 AM10/5/21
to Wazuh mailing list
Hi,
I just made a fresh install of Wazuh this morning and installed Osquery, everything seems to be okay from start to finish but I found this error upon checking on the Wazuh logs.
I got version 4.2 of Wazuh and Osquery 5.0.1, any help would be highly appreaciated.
Thanks.
Boni
Alvaro Romero Sepulveda
Oct 5, 2021, 4:11:51 AM10/5/21
to Wazuh mailing list
Hi Bonifacio,
I'm glad you asked this question!
As you may have seen, Osquery was recently updated to v5.0.1, a version in which its installation path was moved from /usr/local to /opt/osquery on macOS and Linux for portability reasons. This led our Osquery integration to fail when the bin-path variable isn't set, as, by default, the integration tries to run the osqueryd binary assuming it is in the PATH variable, where it could be found in previous versions.
The good news is that we've already started fixing this behavior, as you can see in this Pull Request, that will hopefully be available for the next Wazuh release.
Currently, as the integration is only failing when bin-path isn't set, you can manually fix it by including the new binary's path in your configuration, as shown in this example:
<wodle name="osquery">
<disabled>no</disabled>
<run_daemon>yes</run_daemon>
<bin_path>/opt/osquery/bin</bin_path>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>no</add_labels>
<pack name="custom_pack">/path/to/custom_pack.conf</pack>
</wodle>
I'm glad you asked this question!
As you may have seen, Osquery was recently updated to v5.0.1, a version in which its installation path was moved from /usr/local to /opt/osquery on macOS and Linux for portability reasons. This led our Osquery integration to fail when the bin-path variable isn't set, as, by default, the integration tries to run the osqueryd binary assuming it is in the PATH variable, where it could be found in previous versions.
The good news is that we've already started fixing this behavior, as you can see in this Pull Request, that will hopefully be available for the next Wazuh release.
Currently, as the integration is only failing when bin-path isn't set, you can manually fix it by including the new binary's path in your configuration, as shown in this example:
<wodle name="osquery">
<disabled>no</disabled>
<run_daemon>yes</run_daemon>
<bin_path>/opt/osquery/bin</bin_path>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>no</add_labels>
<pack name="custom_pack">/path/to/custom_pack.conf</pack>
</wodle>
Mind that you may also have to modify your osquery.conf file if it contains references to old Osquery resources that were located in /usr/share/osquery.
Hope that helps!
Reply all
Reply to author
Forward
0 new messages