Ted Dorosheff
01/15/2022, 4:01 PMI0115 07:56:12.120774 1844 ntfs_journal_events.cpp:323] Couldn't open C:\Users\teddoro\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat.LOG2 while building FRN set
I0115 07:56:12.120774 1844 ntfs_journal_events.cpp:323] Couldn't open C:\Users\teddoro\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat while building FRN set
I0115 07:56:12.136206 1844 ntfs_journal_events.cpp:323] Couldn't open C:\Users\teddoro\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG1 while building FRN set
I0115 07:56:12.136206 1844 ntfs_journal_events.cpp:323] Couldn't open C:\Users\teddoro\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG2 while building FRN set
I0115 07:56:12.167567 1844 ntfs_journal_events.cpp:323] Couldn't open C:\Users\teddoro\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\settings.dat while building FRN set
These paths seem to correspond to what we have for file_paths
in yaml config, which leads me to believe that my config is working. However, i'm wondering why osquery isn't able to open these files?
I've installed using chocolatey, and verified that osquery is running with the proper permissions and as a service. FWIW, those error logs were observed after running:
C:\Program Files\osquery\osqueryd\osqueryd.exe --flagfile=osquery.flags --verbose
ie, it was running from an admin shell, and not as a "service".
That being said, when i run osquery in this manner i'm able to see the host i'm running it from in FleetDM and the host appears online. However, after a system reboot and when osquery is running as a service, the host does not appear online.user
01/17/2022, 7:54 PMdemonbhao
01/18/2022, 3:34 AMGuillaume
01/18/2022, 4:18 PMjlk
01/19/2022, 2:15 AMSELECT * FROM system_info
) against a single host via API, but it's timing out (504 Gateway Time-out
) I can call the same saved query from the fleetdm web ui and it works in a few seconds. This is a fresh fleet install - sound like a familiar problem to anyone?alessandrogario
Dulal
01/19/2022, 11:57 AMmatx
01/19/2022, 4:57 PMuser
01/20/2022, 2:24 AMDulal
01/20/2022, 11:36 AMmikermcneil
01/20/2022, 3:03 PMVinu Tom
01/21/2022, 12:22 PMMystery Incorporated
01/23/2022, 6:35 AMDulal
01/23/2022, 11:23 AMDulal
01/24/2022, 11:51 AMTor Houghton
01/24/2022, 12:01 PMHarish SEGAR
01/24/2022, 6:16 PMSaulo Guilhermino
01/24/2022, 7:41 PMHarish SEGAR
01/24/2022, 7:49 PMdram
01/25/2022, 2:20 AMDulal
01/25/2022, 8:22 AMwtheaker
01/25/2022, 4:55 PMryan
01/25/2022, 4:57 PMroot pinning is not supported in Spec 1.0.19
when I generate a package and couldn't find anything in this channel about resolving it. Any tips? Running fleetctl 4.9 on MAC OS and using fleetctl package --type=pkg --fleet-url=xxx --enroll-secret=xxx
user
01/25/2022, 5:25 PMuser
01/25/2022, 5:25 PMTed Dorosheff
01/26/2022, 8:00 PMfile_paths
definitions for mac, linux and windows clients? Could the config simply include all of the file paths, and whatever cannot be found on the client side will simply be skipped? such as:
"file_paths": {
"linux": [
"/root/.ssh/%%",
"/home/%/.ssh/%%"
],
"windows": [
"C:\\Windows\\Temp\\",
"C:\\Windows\\Tasks\\"
],
"mac": [
"/Library/",
"/Applications/"
]
},
"exclude_paths": {
"linux": [
"/home/not_to_monitor/.ssh/%%"
],
"windows": [
"/tmp/too_many_events/"
],
"mac": [
"/Applications/too_man_events/"
]
}
}
Or should the platform
key be used? If so, how would that look? So far all the examples i'm seeing in docs include the platform
key within a `query`or packs
section, and we're trying to manage both queries and functions outside of Settings>yaml in FleetDM.
ThanksNafisa Tasneem
01/27/2022, 9:44 AMJason
01/28/2022, 1:37 PMfleetctl apply -f
n8felton
01/28/2022, 2:13 PMrds-aurora
module version, updates to some variables to use var.prefix in more locations, and some general shifting of things around. Would it be best to do 1 PR with multiple commits, or chunk out the changes into a few PRs?Nafisa Tasneem
01/29/2022, 7:29 AM