osquery #fleet

Ryan

08/26/2021, 4:54 PM

I'm trying out the vulnerability scanner, seems like a great feature. Can I ask what's the intended workflow here? I can see a couple of vulnerabilities showing up on a host's page in the "Software" section, but can I query for that in a Query Pack or similar? Is there a way to show all the known vulnerabilities across all your hosts? What's the intended way to use this feature? Thanks!

Kun Nan

08/27/2021, 6:32 AM

Hi,when I use redis cluster,I encounter MOVED redis error,why does the fleet source code not use the redisc RetryConn?

Steven

08/27/2021, 6:03 PM

Using fleet with OSQuery and queries seem to run correctly for regular OSQuery. However have added the cloudquery extension (https://github.com/Uptycs/cloudquery) to some cloud hosts and results do not come back for the extension, but regular queries still seem to work just fine. Ran a query from the actual host using osqueryi and the extension shows results, for some reason just fails to be reporting results back to fleet. Unsure what would be causing this type of issue, assume if it was a connectivity issue or something all queries would fail, just not queries for the extension.

Juan Alvarez

08/30/2021, 2:30 PM

Hi Fleet team, in my company we have our own SIEM and we are leveraging osquery and fleet core to forward data to it. When it comes to Fleet we are doing our own rebranding so it is coherent with the rest of our UI. Is there any requirement for us to comply with when rebranding FleetDM? (sth like keeping links, or references to your website...) We love your product and would not like to make a mistake with this. Thanks!

Kun Nan

08/31/2021, 9:39 AM

I have a question,why does fleet grpc server not let user config MaxReceiveMessageSize? So forcibly use the default value 4MB

Madhur Jodhwani

08/31/2021, 12:58 PM

and where does the log files of scheduled queries results get stored by default in mac?or how to know the location of the log file?

Stijn Pieters

08/31/2021, 2:29 PM

Hey, I'm trying to get a list of vulnerabilities for the software installed on my hosts. For Windows hosts I get a proper software list on the "Host" page, but for Linux hosts I'm getting a user list instead. I also haven't seen any vulnerabilities in the software list, but maybe I'm just not that vulnerable :^) I set the required environment variable and configured a path to write the vulnerability DB to. Did I miss something?

Lee Armet

08/31/2021, 7:13 PM

Hey Folks, beginner here. I'm getting the following error: sudo fleetctl preview Downloading dependencies into /root/.fleet/preview... Pulling Docker dependencies... Invalid interpolation format for “fleet01” option in service “services”: “fleetdm/fleet:${FLEET_VERSION:-latest}”

jake

09/01/2021, 5:06 AM

Good morning, I am currently trying to build a MSI Package with Orbit. I keep getting the following error when building.

error="rename msi: rename /tmp/orbit-package2439375703/orbit.msi orbit-osquery_0.0.3.msi: invalid cross-device link"

Could anyone point me in the right direction.

Kun Nan

09/01/2021, 8:28 AM

Hi,When I run query on fleet UI,the fleet log show the error message below

Copy code

fleet_3         | 2021/09/01 07:08:44 http: TLS handshake error from 10.17.1.21:36762: remote error: tls: unknown certificate

Seth Hanford

09/01/2021, 5:16 PM

Did fleetctl intentionally lose “fleetctl get options” in version 4.2.3? I can do “fleetctl get options” using fleetctl 3.13.0 and it will give me what is now called “agent options”, including per-platform auto_table_construction definitions. The YAML kind is now config, but when I do fleetctl get config I only get the server configuration and not the agent_options details (so SAML, SMTP, etc. setting). But when I do fleetctl get -h in fleetctl 4.2.3, I see no options / agent-options command:

Copy code

NAME:
   fleetctl get - Get/list resources

USAGE:
   fleetctl get command [command options] [arguments...]

COMMANDS:
   queries, query, q                                             List information about one or more queries
   packs, pack, p                                                List information about one or more packs
   labels, label, l                                              List information about one or more labels
   hosts, host, h                                                List information about one or more hosts
   enroll_secret, enroll_secrets, enroll-secret, enroll-secrets  Retrieve the osquery enroll secrets
   config                                                        Retrieve the Fleet configuration
   carve                                                         Retrieve details for a carve by ID
   carves                                                        Retrieve the file carving sessions
   user_roles, user_role, ur                                     List global and team roles for users
   teams, t                                                      List teams
   help, h                                                       Shows a list of commands or help for one command

OPTIONS:
   --help, -h  show help (default: false)

Lee Armet

09/01/2021, 6:22 PM

any suggestions what I am doing wrong?

Jocelyn Bothe

09/01/2021, 7:46 PM

is there any way to get all labels to show up under pack targets? the search times out, and I can't select my custom label as a pack target

Venkaiah

09/02/2021, 3:30 AM

Copy code

Hi Team i am facing error " go run: no packages loaded from ./cmd/package"   when i run command   
go run ./cmd/package --type=pkg --fleet-url=localhost:8412 --insecure --enroll-secret=YOUR_FLEET_ENROLL_SECRET_HERE

Ryan

09/02/2021, 5:56 PM

Is there a way to see which hosts have failed when attempting to run a live query? For example this is the output I see from a query targeted at All Hosts:

benbass

09/02/2021, 8:52 PM

I just upgraded my test environment to 4.2.4, and when I am trying to get to one of the hosts I get sent to a 500 error page.

Madhur Jodhwani

09/03/2021, 8:31 AM

can someone here explain me how the updation of osquery works through orbit like a detailed view of it?

09/03/2021, 1:56 PM

Hello all, quick question, I am trying to download the CPE db but I need to set a proxy in fleet to download the files. I tried setting it in

/etc/environment

and I can successfully use proxy on the command line but fleet does not seem to respect it. Seeing this error:

Copy code

Sep 03 14:12:39 fleet[18823]: {"component":"crons","cron":"vulnerabilities","err":"sync cpe db: Get \"<https://api.github.com/repos/fleetdm/nvd/releases?per_page=1>\": dial tcp 140.82.121.5:443: connect: connection refused","level":"e
Sep 03 15:00:44 fleet[18823]: [mysql] 2021/09/03 15:00:44 packets.go:122: closing bad idle connection: EOF
Sep 03 15:00:44 fleet[18823]: [mysql] 2021/09/03 15:00:44 connection.go:158: driver: bad connection

Mystery Incorporated

09/04/2021, 6:57 PM

Heya is it meant to not remove the old vulnerable entry when I update????

jake

09/05/2021, 2:26 AM

After many days of struggling, I finally got was able to get FleetDM deployed utilizing Traefik with Let's Encrypt Certs for the Web UI and using GRPC Load balancer for the API. Same domain name for both, use port 443 mapped to any port that you set Fleet too.

✅ 2

ryan

09/06/2021, 9:43 AM

Is it normal behavior to have pack queries log in the results.log but not show up as having run when you view the host in the web ui? I see the packs are scheduled to run in the advanced schedule section and they log in the results.log but don’t ever show as having run when I look at the host on the web.

Madhur Jodhwani

09/06/2021, 10:32 AM

Copy code

Command:go run ./cmd/package --type pkg --enroll-secret=+6fOMFntLWUrMphCww64WTXP2P7LWlWo --fleet-url=<https://127.0.0.1:8080> --update-url=<http://localhost:8000> --update-roots='[{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"058619f952fcd0d3504fedb65f37b714a9b32efd34a61070ae193d7a11ae1307"}}]' --insecure



Output:2021-09-06T15:59:55+05:30 FTL package failed error="initialize updates: failed to get orbit: exec new version: Incorrect Usage. flag needs an argument: -version\n\nNAME:\n  Orbit osquery - A powered-up, (near) drop-in replacement for osquery\n\nUSAGE:\n  orbit [global options] command [command options] [arguments...]\n\nCOMMANDS:\n  help, h Shows a list of commands or help for one command\n\nGLOBAL OPTIONS:\n  --type value        Type of package to build\n  --enroll-secret value   Enroll secret for authenticating to Fleet server\n  --fleet-url value     URL (host:port) of Fleet server\n  --fleet-certificate value Path to server cerificate bundle\n  --identifier value     Identifier for package product (default: \"com.fleetdm.orbit\")\n  --version value      Version for package product (default: \"0.0.2\")\n  --insecure         Disable TLS certificate verification (default: false)\n  --service         Install orbit/osquery with a persistence service (launchd, systemd, etc.) (default: true)\n  --sign-identity value   Identity to use for macOS codesigning\n  --notarize         Whether to notarize macOS packages (default: false)\n  --osqueryd-channel value  Update channel of osqueryd to use (default: \"stable\")\n  --orbit-channel value   Update channel of Orbit to use (default: \"stable\")\n  --update-url value     URL for update server (default: \"<https://tuf.fleetctl.com>\")\n  --update-roots value    Root key JSON metadata for update server (from fleetctl updates roots)\n  --debug          Enable debug logging (default: false)\n  --help, -h         show help (default: false)\n\x1b[90m2021-09-06T15:59:55+05:30\x1b[0m \x1b[1m\x1b[31mFTL\x1b[0m\x1b[0m package failed \x1b[31merror=\x1b[0m\x1b[31m\"flag needs an argument: -version\"\x1b[0m\n: exit status 1"
exit status 1

So I have been trying to figure out this that I have my own update server and I have added orbit and osqueryd binaries to it but I am unable to build orbit package as specified in the docs and I get the above error on running thequery as mentioned, any idea what I have done wrong coz I am trying to figure out the auto update part.

Juan Alvarez

09/06/2021, 1:34 PM

Hi all, is there any guidance on how to configure the parameters

FLEET_MYSQL_MAX_IDLE_CONNS

and

FLEET_MYSQL_MAX_OPEN_CONNS

? I started to see

Error 1040: Too Many Connections

along with

Authentication Error: Finding Host

so i think that MySQL was dropping an excessive amount of connections coming from the FleetDM. Our configuration was

FLEET_MYSQL_MAX_IDLE_CONNS=50

and Max Open

FLEET_MYSQL_MAX_OPEN_CONNS=400

which i think it was overwhelming the mysql that has a

max_connections

variable of 151. Once i lowered `FLEET_MYSQL_MAX_OPEN_CONNS=100`i stopped seeing the errors. The question is, what is a typical configuration for those parameters when having deployments of several thousands clients? Should we configure

FLEET_MYSQL_MAX_OPEN_CONNS

close to the

max_connections

value in MySQL? And what would be FleetDM's behavior if he needs to check in the database but the max amount of connections is reached? Any guidance is appreciated!

Manu Odago

09/06/2021, 3:05 PM

Hello, I am trying to create labels on my fleet server to monitor some events such as file changes, resource usage and so on, I am running queries that really do not give me the results I would want, does anyone have any useful resources on labels that I can read and learn from?

koo

09/06/2021, 5:11 PM

Hello @Manu Odago

Chad

09/07/2021, 3:04 PM

Hey fleet team, getting

error="initialize updates: failed to update metadata: update metadata: tuf: failed to decode timestamp.json: expired at 2021-09-06 09:41:08 -0700 -0700"

error when building an msi. Does the tuf stuff need to be resigned by you?

09/07/2021, 3:47 PM

Hello all, I am trying to understand the logs of the vulnerabilities part, what does

"cron":"vulnerabilities","leader":"Not the leader. Skipping..."

mean?

defensivedepth

09/07/2021, 3:52 PM

hey all! I think this may have changed recently - How does FleetDM choose which IP to display in the WebUI for a host? REF: https://github.com/Security-Onion-Solutions/securityonion/discussions/5412

CptOfEvilMinions

09/07/2021, 8:10 PM

Questions about transitioning from Fleet Basic -> Fleet Premium: Can you transition from Fleet Basic -> Premium? If so, is the process as simple as just adding a license?

Kun Nan

09/08/2021, 1:03 AM

Hi, I find that fleet still import old version of kolide/launcher,and the logger of old version of lancher does not use level to distinguish different level of logs https://github.com/fleetdm/fleet/blob/main/go.mod#L47 take "RequestQueries" for example • the imported version

Copy code

func (mw logmw) RequestQueries(ctx context.Context, nodeKey string) (res *distributed.GetQueriesResult, reauth bool, err error) {
	defer func(begin time.Time) {
		resJSON, _ := json.Marshal(res)
		uuid, _ := uuid.FromContext(ctx)
		mw.logger.Log(
			"method", "RequestQueries",
			"uuid", uuid,
			"res", string(resJSON),
			"reauth", reauth,
			"err", err,
			"took", time.Since(begin),
		)
	}(time.Now())

	res, reauth, err = mw.next.RequestQueries(ctx, nodeKey)
	return
}

• the newest version

Copy code

func (mw logmw) RequestQueries(ctx context.Context, nodeKey string) (res *distributed.GetQueriesResult, reauth bool, err error) {
	defer func(begin time.Time) {
		resJSON, _ := json.Marshal(res)
		uuid, _ := uuid.FromContext(ctx)
		logger := level.Debug(mw.logger)
		if err != nil {
			logger = <http://level.Info|level.Info>(mw.logger)
		}
		logger.Log(
			"method", "RequestQueries",
			"uuid", uuid,
			"res", string(resJSON),
			"reauth", reauth,
			"err", err,
			"took", time.Since(begin),
		)
	}(time.Now())

	res, reauth, err = mw.next.RequestQueries(ctx, nodeKey)
	return res, reauth, err
}