Juan Alvarez
09/08/2021, 10:35 AMSep 08 10:27:24 devo-ea-manager fleet[860]: 2021/09/08 10:27:24 http: TLS handshake error from 10.0.4.5:34344: EOF
I am doing some scale testing, and i have an AWS t3.xlarge box with 2k agents where everything seems to work correctly but this error appears periodically, any suggestion to understand why this could be happening?Jocelyn Bothe
09/08/2021, 6:37 PMerr="scan keys: dial tcp 10.10.24.224:6380: i/o timeout" msg="failed to migrate live query redis keys"
Jocelyn Bothe
09/08/2021, 7:39 PMAndrew Baker
09/08/2021, 8:57 PMjake
09/08/2021, 10:34 PMoverrides:
platforms:
windows:
options:
logger_plugin: tls
pack_delimiter: /
logger_tls_period: 10
distributed_plugin: tls
disable_distributed: false
logger_tls_endpoint: /api/v1/osquery/log
distributed_interval: 10
distributed_tls_max_attempts: 3
enable_ntfs_event_publisher: true
enable_windows_events_subscriber: true
enable_powershell_events_subscriber: true
events_optimize: true
events_max: 100000
events_expiry: 900
disable_events: false
disable_logging: false
schedule_splay_percent: 10
schedule_max_drive: 15
windows_event_channels: >-
System,Application,Setup,Security,Microsoft-Windows-Windows Firewall
With Advanced Security/Firewall,Microsoft-Windows-Windows Firewall
With Advanced Security/ConnectionSecurity
utc: true
pack_refresh_interval: 1800
disable_watchdog: false
watchdog_level: 0
watchdog_memory_limit: 512
watchdog_delay: 120
enable_extensions_watchdog: true
decorators:
load:
- SELECT version FROM osquery_info
- SELECT uuid AS host_uuid FROM system_info
always:
- >-
SELECT user AS username FROM logged_in_users WHERE user <> '' ORDER
BY time LIMIT 1
interval:
'3600': SELECT total_seconds AS uptime FROM uptime
Madhur Jodhwani
09/09/2021, 12:06 PMSK
09/09/2021, 12:14 PMMadhur Jodhwani
09/09/2021, 1:36 PMgo run ./cmd/package --type=msi --enroll-secret=2exkBvZ6k4S+949LpNo7dKlGFjlqHWRS --fleet-url=<https://127.0.0.1:8080>Ā --update-url=<http://localhost:8000>Ā --update-roots='[{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"d9facef058990d77fec014278de4f2d1d31a244707bd360b29ecb02b0536474d"}}]' --insecure
ā[90m2021-09-09T183621+05:30ā[0m ā[1mā[31mFTLā[0mā[0m package failed ā[31merror=ā[0mā[31m"initialize updates: failed to init updater: unmarshal root keys: invalid character 'k' looking for beginning of object key string"ā[0m
exit status 1
I get this error on Windows.Jocelyn Bothe
09/09/2021, 7:11 PMMadhur Jodhwani
09/10/2021, 8:15 AMwtheaker
09/10/2021, 2:38 PM100+ hosts
at the top when there are more than 1k hosts enrolled. Should I open individual issues for each item, or a larger one with a few suggested changes?Jean M
09/10/2021, 5:16 PM{
"component": "service",
"err": null,
"method": "NewQuery",
"name": "hvhgvghvgh",
"sql": "SELECT * FROM osquery_info",
"took": "4.327208ms",
"ts": "2020-02-05T15:19:07.729088806Z",
"user": "jean"
}
However, I cannot see them anymore, did something changed in more recent versions? š or maybe Iām missing some configurationā¦Kun Nan
09/13/2021, 1:55 AM{"err":"submit launcher results: failed to ingest result: campaign stopped: ","errcode":"","level":"info","message":"","method":"PublishResults","reauth":false,"results":"[{\"query_name\":\"fleet_distributed_query_21254\",\"status\":0,\"rows\":[{\"atime\":\"1631255668\",\"block_size\":\"4096\",\"btime\":\"0\",\"ctime\":\"1618363046\
Madhur Jodhwani
09/13/2021, 7:20 AM--insecure
flag?benbass
09/13/2021, 4:36 PMdownload carve received status 401: Authentication required: Authentication required
I am able to query the carve table on that instance, and even a subsequent login does not resolve the issue. This is using fleetctl 4.2.2 and fleetctel 4.2.4 on macOSmikermcneil
09/13/2021, 5:39 PMCptOfEvilMinions
09/13/2021, 8:54 PMMadhur Jodhwani
09/14/2021, 9:02 AMgo run ./cmd/package --type=pkg --enroll-secret=+6fOMFntLWUrMphCww64WTXP2P7LWlWo --fleet-url=<https://127.0.0.1:8080> --update-url=<https://127.0.0.1:4443> āupdate-roots='[{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"e2c20fe1c4abe6dcbccf02ef60f5117feb6b64d2f051b4a26a15b1e73922d0cc"}}]' --insecure
Error: 2021-09-14T14:24:43+05:30 FTL package failed error="initialize updates: failed to init updater: init tuf client: tuf: failed to decode root.json: tuf: valid signatures did not meet threshold"
So i tried to run the above command while building orbit but TUF is giving me this output, what should I do? I am on an intel mac with macOS v11.5.2 and I have my certificates trusted by OS X but not the key for the https update server.Tanguy Dangelser
09/14/2021, 12:12 PM$ go run ./cmd/package --type=msi --fleet-url=localhost:8412 --insecure --enroll-secret=mysecrethere
heat.exe : error HEAT0001 : SetThreadErrorMode assembly:<unknown assembly> type:<unknown type> member:(null)
Exception Type: System.EntryPointNotFoundException
Stack Trace:
at (wrapper managed-to-native) Interop+Kernel32.SetThreadErrorMode(uint,uint&)
at System.IO.DisableMediaInsertionPrompt.Create () [0x00008] in <3d7a9349295c42b6abb3487b4473a6b8>:0
at System.IO.FileSystem.FillAttributeInfo (System.String path, Interop+Kernel32+WIN32_FILE_ATTRIBUTE_DATA& data, System.Boolean returnErrorOnNotFound) [0x0000a] in <3d7a9349295c42b6abb3487b4473a6b8>:0
at System.IO.FileSystem.FileExists (System.String fullPath) [0x00008] in <3d7a9349295c42b6abb3487b4473a6b8>:0
at System.IO.File.Exists (System.String path) [0x0003d] in <3d7a9349295c42b6abb3487b4473a6b8>:0
at System.Configuration.ConfigurationManager.OpenExeConfigurationInternal (System.Configuration.ConfigurationUserLevel userLevel, System.Reflection.Assembly calling_assembly, System.String exePath) [0x00050] in <9dbd70885bbe478dbcc5b41c7b0e0973>:0
at System.Configuration.ConfigurationManager.OpenExeConfiguration (System.String exePath) [0x0000f] in <9dbd70885bbe478dbcc5b41c7b0e0973>:0
at Microsoft.Tools.WindowsInstallerXml.AppCommon.ReadConfiguration (System.Collections.Specialized.StringCollection extensions) [0x00022] in <13acedad176f4740bcdf107d029f167c>:0
at Microsoft.Tools.WindowsInstallerXml.Tools.Heat.Run (System.String[] args) [0x0005d] in <05dc1d4b31e6439dabb75d17e14330a3>:0
2021-09-14T14:06:23+02:00 FTL package failed error="package root files: heat failed: exit status 1"
exit status 1
Tanguy Dangelser
09/14/2021, 12:13 PMJocelyn Bothe
09/14/2021, 6:29 PMSep 14 18:28:30 <http://osquery-service-orc20.ec2.vzbuilders.com|osquery-service-orc20.ec2.vzbuilders.com> fleet[13403]: ts=2021-09-14T18:28:30.884003459Z component=service method=ingestDiskSpace err="detail_query_disk_space expected single result got 2"
Jocelyn Bothe
09/14/2021, 7:39 PMKun Nan
09/15/2021, 4:07 AMlimited:false,result:{10 0 0s -1ns},err:MOVED 15505 172.17.205.126:7003
Artem
09/15/2021, 8:11 AMmanoj434
09/15/2021, 5:25 PMJocelyn Bothe
09/15/2021, 7:52 PMMacear
09/16/2021, 11:06 AMMystery Incorporated
09/16/2021, 2:27 PMMystery Incorporated
09/16/2021, 3:08 PMRyan
09/16/2021, 4:45 PMDELETE FROM software WHERE NOT EXISTS (select 1 from host_software hs where hs.software_id=software.id)