Hi everyone - great to meet you! I was wondering if I could ask for help with a specific question and a general question. I've been running an instance of Fleet with about 40 machines running OSquery 5.0.1 via an orbit installer at 3 different remote sites. Yesterday around 12:15, they all stopped calling home. The orbit installers I used still work - if I run an the exact installer used at these sites on a test machine, the test host starts calling home. These hosts dropping offline in Fleet coincided with a drop off in network traffic at the application gateway in front of our fleet server. I've confirmed out of band that the machines at these sites are alive and healthy - but for the next few days, I'm not able to access them. One suspicion I have is an orbit-driven update... is there any way to identify any recently published updates on the public orbit update server? Would anyone happen to have any troubleshooting ideas while I wait for access to these sites? Thanks!

hey guys , i installed fleet on ubuntu and it all wen ok (version 3.5.1) i added a server with the same version and service , config files and everything. after i added the server behind a load balancer i found out he dosent get logs. when i try to connect to him with https://*ip* on web browser im connectiong to the same fleet api. im trying to do it because i want to be able to run a query on 8,000 hosts. if someone has done it before and can help me ill app that, thanks :).

I noticed a previous message about orbit and fleetdm -- is orbit now considered production-ready? We are looking to overhaul our fleet deployment in early 2022 and may replace launcher with orbit if that's the case. Thanks!!! (and happy holidays!)

Does anyone have cost numbers from supporting differing numbers of osquery agents using self hosted fleet setups in AWS? Possibly including what is part of that cost (HA/ self hosting vs using AWS services for ECS/kubernetes/etc you have in your setups)? I’m going to stand up fleet and before deployment we need general costs. I have the cost calculator in AWS, but would love to see what prod numbers people have.

I noticed the latest FleetDM API docs have changed how running a live query works. There is no mention of using the websocket connection to get results. Is the websocket method being depreciated?

Hello, if we want to check the installed KB and we go to registry path

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\...

the check will take a long time to return the results ... is there any option to optimize this search?

I noticed that I am unable to open couple of hosts within fleetdm. showing “Unable to load host. Please try again”. Showing as online though! Live Queries also not working. Had a look at the reverseproxy logs and found bazillion of HTTP 500 for POST to /api/v1/osquery/distributed/write But some other hosts are working fine, live queries also working fine.. and they are located on the same network as the ones which are not working, so I dont suspect any networking/firewalling/proxy issue.

I am getting certificate verification failed error

🏗️ New commits pushed to Fleet »

Hey y'all! Anyone remember offhand how to quickly point

fleetctl

at a different Fleet server URL for a single command? (Or to reconfigure it to point at a different Fleet server URL?)

I can run

select * from chrome_extensions;

from osqueryi but when I run in Fleet it doesn't return any results. No errors either. Running 4.8

@zwass and fleet team. Been away from fleet for a few months, came back and I was blown away by how simple orbit is to use now! Thanks for all the great work! Its really useful. Is Orbit production ready?

Hello everybody, quick question: When an instance of Fleet has the variable

FLEET_VULNERABILITIES_CURRENT_INSTANCE_CHECKS

set to "no", will it still download the necessary databases for the check? More context in the thread 👇

Hey folks. One of our fleet servers is experiencing a storm of

authentication error: find host

errors and all of the osquery agents are having connection timed out. I looked into the previous conversations related with this error in this Slack but could not really find anything relative. The fleet server is on

4.4.3

. Any guidance possible?

Is there a common column in Fleet to join different tables on? I want to run a policy query, which works, but I'd like to do a JOIN with the os_version table and add a WHERE so that only certain OS versions are checked.

🏗️ New commits pushed to Fleet »

Fleet 4.8.0. This link points to https://fleetdm.com/docs/deploying/configuration#software-inventory but that section doesnt exist

4.8.0 looks quite good:

• Add ability to configure Fleet to send a webhook request with all hosts that failed a policy. Documentation on what data is included the webhook request and when the webhook request is sent can be found here on fleedm.com/docs.

Is there already a way to retrieve the list of policies and which hosts are failing a policy, as the

pull

method would fit better than

push

, with a use-case I have in mind.

Hey y’all, happy new year 🍾 Good news for our paid plan - Fleet Premium is now $1/host (down from $4.) Free plan will always be free. Pumped about where Fleet is heading in 2022 🚀

Looking for some clarification RE: Vuln Processing. The docs here: https://fleetdm.com/docs/using-fleet/vulnerability-processing The first section states

Vulnerability processing is enabled by default.

The 2nd section states:

To enable vulnerability processing, first enable the software inventory feature by setting the following app config:

As of 4.8.0 - Is Vuln Processing enabled by default? What about new installs vs. upgrades?

Hi folks, looking for some help with connectivity to fleet. I currently have a few RHEL hosts that are up on fleet. Some are connected and show that they're online, but others will periodically show as offline. I've tried deleting them from fleet and reinstalling my 'fleet-osquery' package to see if it fixes the issue and it seems like it does but it is not permanent as those same hosts will show offline a few hours later. I've connected these hosts to a domain controller so I edited

/etc/resolv.conf

with the domain nameserver IP and edited

/etc/NetworkManager/NetworkManager.conf

so that the changes are on

/resolv.conf

stay the same even after reboot. I've also disabled

SELINUX

because it was not letting the hosts connect. Currently am stumped on what could be blocking the connection or why the hosts go offline. Any help on what could be the issue?

Hi folks,I had some problems adding hosts OS:Centos 7.9 docker:20.10.11 fleetctl:4.8.0

Hey all, I was wondering using

fleetctl package

to create a package, does it also automatically enable the update channels or are they disabled by default? I want to create a static package that does not use the update channels

Hello! I have a small question about server performance requirements. We are planning to monitor about 800 Apple mac’s, while running standard queries about processes, file and socket events, and most of the queries will be differential logging type. How much CPU’s and memory do we need?

🏗️ New commits pushed to Fleet »

Just checking all my bases but is there a way to set up HTTP Strict Transport Security with fleet or is the best path forward just to throw a proxy in front of fleet and set it there

What is the best way of doing a where clause for remote_address equalling an address (either ipv6 or ipv4)?

I'm testing fleet 4.6.1 and I'm not seeing any of the performance data coming back from the osquery client for each of the scheduled queries. What's a good way to troubleshoot that?

Hello all, I'm working with some RHEL endpoints being hosted on AWS. I'm attempting to clone one of my endpoints and add the clones to fleet but when I do, fleet seems to confuse the original with the clones. I've changed the hostnames and made sure that they all have different IPs and serial number. When i add them to fleet, they do not show up as individual endpoints but when I try to Refetch the original endpoint i see its IP change and the hostname change. So it seems like fleet thinks that they are all the same endpoint. Anyone encountered this before?

in yaml config, should `file_paths`/`exclude_paths` be on the same indent as

decorators

? or are

file_paths

a sub parameter of

decorators

? Thanks!