osquery #fleet

girish

05/24/2023, 4:10 PM

Hello all..please help.. how to get the ip address using a query. i see the ip when i click 'hosts' but unable to retrieve it. thank you

Nemesis Contreras

05/24/2023, 5:41 PM

Hi Team, My company currently uses FleetDM I had a question about how often does a regular (non API-only ) user’s API key expires? Weekly, monthly, etc

Luke Heath

05/24/2023, 11:09 PM

set the channel topic: ☁️ 🚀 The latest version of Fleet is 4.32.0. More info: https://github.com/fleetdm/fleet/releases/tag/fleet-v4.32.0 Upgrade now: https://github.com/fleetdm/fleet/releases/latest

Zay Hanlon

05/25/2023, 3:08 PM

set the channel topic: ☁️ 🚀 The latest version of Fleet is 4.32.0. More info: https://github.com/fleetdm/fleet/releases/tag/fleet-v4.32.0 Upgrade now: https://fleetdm.com/docs/deploying/upgrading-fleet

Ari Weinberg

05/25/2023, 3:59 PM

Is there a way to set different command line options for different OSs under agent options in the fleet UI?

Szymon Szóstak

05/25/2023, 4:54 PM

Hi! I am trying to use your helm chart but getting wrong chart name - what should be whole repo + chart name?

Szymon Szóstak

05/25/2023, 5:49 PM

helm search repo <https://fleetdm.github.io/fleet/charts/> --versions
No results found

Szymon Szóstak

05/25/2023, 5:49 PM

helm search repo <https://fleetdm.github.io/fleet/charts/fleet/fleet> --versions
No results found

Szymon Szóstak

05/25/2023, 5:49 PM

helm search repo <https://fleetdm.github.io/fleet/charts/fleet> --versions
No results found

Szymon Szóstak

05/25/2023, 5:50 PM

not sure what path its the correct one

Zapier

05/25/2023, 7:52 PM

🏗️ New commits pushed to Fleet »

Sebastiaan

05/25/2023, 9:46 PM

Hi! I followed @Lucas Rodriguez advice earlier and for most of it, fleet on kubernetes seems to work. The only problem I still have left is that running live queries doesn't seem to work from the interface in any shape or form. This are the logs I see from nginx as a proxy (fleet doesn't seem to show any logs at that point):

x.x.x.x -  [25/May/2023:21:39:05 +0000] "POST /api/v1/fleet/results/198/tmxrqkgm/xhr_send?t=1685050744996 HTTP/1.1" 405 0 "<https://fleet.security.pleo.io/queries/new>" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36" 7017 0.002 [fleet-fleet-8080] [] 172.x.x.x:8080 0 0.001 405 6753df76dfb05c2be4398c1e10e4512b
x.x.x.x -  [25/May/2023:21:39:04 +0000] "POST /api/v1/fleet/results/198/gq3lvb2w/xhr_streaming?t=1685050744898 HTTP/1.1" 405 0 "<https://fleet.security.pleo.io/queries/new>" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36" 6857 0.000 [fleet-fleet-8080] [] 172.x.x.x:8080 0 0.001 405 e615a3ca7d0c7749c443fecd81675e6c
x.x.x.x -  [25/May/2023:21:39:04 +0000] "GET /api/v1/fleet/results/198/n0ex0hts/websocket HTTP/1.1" 403 10 "" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36" 6750 0.000 [fleet-fleet-8080] [] 172.x.x.x:8080 10 0.001 403 de8df61d42f7d1f6073c1bb23ebeb3d5

And this is part of my kubernetes config:

---
apiVersion: <http://helm.toolkit.fluxcd.io/v2beta1|helm.toolkit.fluxcd.io/v2beta1>
kind: HelmRelease
metadata:
  name: fleet
spec:
  chart:
    spec:
      chart: fleet
      version: 5.0.1
      sourceRef:
        kind: HelmRepository
        name: fleet
  values:
    ingress:
      enabled: true
      className: ingress-external
      hosts:
        - host: fleet.hostname.tld
          paths:
            - path: /
              pathType: ImplementationSpecific
      annotations:
        <http://kubernetes.io/external-dns-class|kubernetes.io/external-dns-class>: ingress-external
        <http://nginx.ingress.kubernetes.io/service-upstream|nginx.ingress.kubernetes.io/service-upstream>: "true"
        <http://nginx.ingress.kubernetes.io/upstream-vhost|nginx.ingress.kubernetes.io/upstream-vhost>: internal.fleet.hostname.local
        <http://nginx.ingress.kubernetes.io/proxy-read-timeout|nginx.ingress.kubernetes.io/proxy-read-timeout>: "3600"
        <http://nginx.ingress.kubernetes.io/proxy-send-timeout|nginx.ingress.kubernetes.io/proxy-send-timeout>: "3600"
        <http://nginx.ingress.kubernetes.io/secure-backends|nginx.ingress.kubernetes.io/secure-backends>: "true"
        <http://nginx.ingress.kubernetes.io/ssl-redirect|nginx.ingress.kubernetes.io/ssl-redirect>: "true"
        <http://nginx.org/websocket-services|nginx.org/websocket-services>: "fleet"
        <http://nginx.ingress.kubernetes.io/server-snippets|nginx.ingress.kubernetes.io/server-snippets>: |
          location / {
            proxy_set_header Upgrade $http_upgrade;
            proxy_http_version 1.1;
            proxy_set_header X-Forwarded-Host $http_host;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-For $remote_addr;
            proxy_set_header Origin "<https://fleet.hostname.tld>";
            proxy_set_header Host $host;
            proxy_set_header Connection "upgrade";
            proxy_pass_header X-XSRF-TOKEN;
            proxy_cache_bypass $http_upgrade;
            }
    fleet:
      keepalive: true
      tls:
        enabled: false
      websockets_allow_unsafe_origin: true

Sebastiaan

05/25/2023, 9:47 PM

Is there anyone that is able to give me advice on how to solve the situation?

wennan.he

05/26/2023, 2:44 AM

HI fleet team, If fleet serving with different domain name through API, will it make osquery cannot enroll with the pem offered by fleet?

wennan.he

05/26/2023, 3:37 AM

Hi fleet team, our structure is like osquery -> LB -> fleet and we access fleet through browser through domain A, and osquery access fleet through domain B, in this case, the certificate osquery using is what i download from browser, and right now our osquery keeps failing on enroll with err May 26 03:24:58 XXXXXXXXXX osqueryd[1882290]: W0526 03:24:58.614423 1882292 tls_enroll.cpp:101] Failed enrollment request to https://XXXX/api/v1/osquery/enroll (Request error: certificate verify failed) retrying... is that because of different domain of fleet?

Nakshi Kalolia

05/29/2023, 2:02 PM

I have added a policy in my fleetdm. When I run that query it shows that 23 hosts in "NO" category. But in the policy section it shows only 3 in "NO" category. Can anyone will help me with this?

Jörg Sachse

05/30/2023, 11:49 AM

Hi Everyone, I'm trying to write my own query pack to import into FleetDM. I've found a few files in the wild, but they seem to follow different syntax/schemas. Can anyone point me to a documentation for the schema used to parse query packs? I'm all out of my Google-Fu. EDIT: If there's no "real" documentation (as in "website"), I'll also go with a GitHub link or something along those lines.

Don

05/30/2023, 5:54 PM

Howdy, folks. I'm getting a lot of noise in my syslog files from orbit on each of my servers:

INF flags updates failed error="error getting flags from fleet: enroll endpoint does not exist"

Everything seems to be working fine. I haven't yet found how to turn on this endpoint or, alternatively, how to drop the orbit syslog level to ERR or something similar. What's the best practice here? Thanks much!

Vikas

05/30/2023, 7:14 PM

Hello Fleet team, We have our all host in one AMI, all host has privet IP from 10.202.4.*, which belongs to one of our organizations AWS account. No we I tried to query on all that host in Splunk, I got all the host, but in Fleet dm, I am not getting all the host, missing some of them ? Is there any knows issue or can someone help me out why I am not getting all host from that particular AWS account ?

Zapier

05/30/2023, 9:19 PM

🏗️ New commits pushed to Fleet »

Ari Weinberg

06/01/2023, 2:15 PM

Is there a way to specify an old orbit version when generating an installer?

Daniel Bretón Suárez

06/01/2023, 4:39 PM

I've seen this error, does it indicate the fleet used all the RAM available on the machine?

Jun 01 14:23:00 XXX fleet[3998530]: runtime: out of memory: cannot allocate 16777216-byte block (15477866496 in use)
Jun 01 14:23:00 XXX fleet[3998530]: fatal error: out of memory

JD Strong

06/01/2023, 5:16 PM

How you can automate your configuration profiles with GitHub Actions and :fleet: Fleet. 🚀 https://fleetdm.com/guides/using-github-actions-to-apply-configuration-profiles-with-fleet

Zapier

06/01/2023, 7:46 PM

🏗️ New commits pushed to Fleet »

JD Strong

06/02/2023, 4:25 PM

⏰ Join us today at 3pm EDT / Noon PDT as we dive deeper into the future of device management 🚀 With :fleet: Fleet's new GitOps-driven MDM, we can bring security teams, IT teams, and end users closer than ever before with comprehensive security and monitoring capabilities. https://www.linkedin.com/events/7065388411494264832/comments/

Aaron

06/02/2023, 4:40 PM

Hello everyone, is it possible to have multiple instances of the same logging destination? Like 2 instances of AWS Lambda?

Lili

06/05/2023, 8:19 AM

Hello! How much time is lived token (--enroll-secret) which used for enroll hosts? Need I update him for some time or this token can be used for all time?

Tor Houghton

06/05/2023, 9:41 AM

It does not automatically time out, no 🙂

Szymon Szóstak

06/05/2023, 10:27 AM

Is there any info how to expose web interface using your k8s helm charts?

Szymon Szóstak

06/05/2023, 10:38 AM

using :8080 and ingress telnet for port works but there is now web interface avaiable