Ojas
02/28/2022, 5:29 AMLuke Wolfenden
02/28/2022, 9:58 AMIvan
02/28/2022, 10:45 AMAri Weinberg
02/28/2022, 9:25 PMchrome_extensions
table, and disabling that table in the flags file stopped the CPU from being pegged.
Any idea what might be causing this?
Disabling this table also stopped fleet from gathering all the installed programs on the server, even though chrome is not installed.
Keep in mind that this is on domain controllers only, and this wasn't a problem on other windows servers that don't have chrome installed.Jason Cetina
02/28/2022, 11:38 PMTilman Bender
03/01/2022, 9:49 AMno spec field on "" document
Billel
03/01/2022, 1:24 PMzwass
fleetctl package
? https://osquery.slack.com/archives/C08V7KTJB/p1646159484058179pvirani
03/01/2022, 11:31 PMsuccessfully enabled scheduled packs
but when I check the 'schedule' tab it does not show any of the queries from the packs in the scheduled queries list 🤔 I checked osquery_result
file on my Fleet host and it's empty. Anyone encountered this before? Any ideas on what the problem and the solution might be?Billel
03/02/2022, 8:18 AMColeton
03/02/2022, 8:50 AMTilman Bender
03/02/2022, 9:50 AMTilman Bender
03/02/2022, 3:17 PMTilman Bender
03/02/2022, 3:23 PMOjas
03/03/2022, 6:11 AMuser
03/03/2022, 1:26 PMMarc Roelofs
03/03/2022, 2:02 PMTilman Bender
03/04/2022, 3:34 PMJason Cetina
03/04/2022, 8:50 PMuser
03/07/2022, 7:36 PMJason
03/07/2022, 11:03 PMScott Blake
03/08/2022, 2:56 PMMarc Roelofs
03/08/2022, 3:16 PMhost_settings:
enable_host_users: true
enable_software_inventory: true
and vuln is set like this
vulnerabilities:
cpe_database_url: ""
current_instance_checks: auto
cve_feed_prefix_url: ""
databases_path: /fleet-cve/
disable_data_sync: false
periodicity: 3600000000000
vulnerability_settings:
databases_path: /fleet-cve/
any idea that could help me ? ...Gregory Storme
03/09/2022, 9:43 AMdisable_carver: true
in the global agent options, but I don't see this being changed on the orbit/osquery daemon
They are still running with the --disable_carver=false
flag
How is such a change to the global agent options reflected on the hosts?Scott Blake
03/09/2022, 2:08 PMRyan
03/10/2022, 3:37 PMcryptography
which is showing this CVE: https://nvd.nist.gov/vuln/detail/CVE-2020-36242Kathy Satterlee
03/10/2022, 8:55 PMC:\Temp\osqueryconf\
and now we see the client trying to communicate with Fleet when running: "C:\Program Files\osquery\osqueryd\osqueryd.exe" --flagfile="C:\Temp\osqueryconf\osquery.flags" --verbose --tls_dump
To me this validates that the service was in fact skipping the flags file. Progress! However, we are now getting an enrollment error –
<https://fleet.xxxx.net:443/api/v1/osquery/enroll> (No node key returned from TLS enroll plugin) retrying...
{
"error": "enroll failed: no matching secret found",
"node_invalid": true
}
We’ve triple checked the enroll secret value (which I took straight from Fleet), checked for whitespace, etc but to no avail. Here’s what the error on Fleet’s side looks like:
2022-03-10T19:54:06.128619+00:00 <http://xxxx.xxxx.net|xxxx.xxxx.net> fleet: {"component":"service","err":"enroll failed: no matching secret found","host_identifier":"xx-xx-xx-xx-xx","ip_addr":"xxx.x.x.x:xxxxx","level":"info","method":"EnrollAgent","took":"1.789708ms","ts":"2022-03-10T19:54:06.128302224Z","x_for_ip_addr":"xx.xxx.xx.x"}
user
03/10/2022, 11:35 PMclong
03/11/2022, 6:43 AM<https://api.github.com/repos/fleetdm/fleet/releases/latest>
but right now that just gives me orbit packages.pvirani
03/11/2022, 8:00 PM