https://github.com/osquery/osquery logo
Docs
Join the conversationJoin Slack
Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Powered by Linen
fleet
  • w

    Wojtek

    12/15/2020, 10:16 AM
    is anybody running fleet behind rev-proxy (traffic) ? I am seeing issues , most likely, related to websockets
    z
    • 2
    • 1
  • w

    Wojtek

    12/15/2020, 10:53 AM
    btw is there any way to disable web sockets in fleet ?
    z
    • 2
    • 3
  • a

    Artem

    12/15/2020, 1:40 PM
    It looks like
    sha256sum fleet.zip
    command returns different result
    1476e27814861bc7964f1c0db122cb156d56996f1612518c330c522ba24368f4
    for fleet.zip in http://github.com/fleetdm/fleet/releases/tag/3.5.1. Is it okay?
    ✅ 1
    z
    • 2
    • 2
  • a

    Artem

    12/15/2020, 2:17 PM
    Another question, can we remove some query from denylist using Fleet?
    osquery_scheduled
    returned denylisted=1 for query, but without any hardware utilization metrics. In my opinion, it looks like mismatch. Is it a way to remove this special query from denylist without direct access to client laptop and not to wait 24 hours?
    z
    • 2
    • 4
  • c

    CptOfEvilMinions

    12/15/2020, 5:49 PM
    Question about configuring FleetDM for Docker, specifically using Docker Swarm. The documentation for configuring the binary states
    mysql_password
    accepts a string but is it possible to provide a path to a file that contains the password, say to a Docker secret:
    /run/secrets/fleetdm-mysql-password
    ? I assume the answer is it’s not supported currently but I wanted to ask.
    z
    • 2
    • 4
  • m

    maxwhite

    12/15/2020, 8:02 PM
    Hello, I was wondering, does the old
    launcher
    works with the new
    fleet
    ? If not, what is the preferred method to deploy? (We were packaging
    launcher
    and deploying it through MDM) Thank you,
    z
    • 2
    • 2
  • d

    demonbhao

    12/16/2020, 3:55 AM
    Hello, would you please tell me what impact will fleet and osquery have on the osquery client when fleet and osquery communications are cut off?Will the regular query task set on the Fleet server continue?
    z
    • 2
    • 4
  • k

    koba

    12/16/2020, 9:10 AM
    Question: Is there a plan to have (or reason to not have) a global search option in Fleet UI to quickly find the hosts that are enrolled? I would want an easy way to verify if a host is added on Fleet?
    d
    n
    m
    • 4
    • 5
  • w

    Wojtek

    12/16/2020, 11:20 AM
    I saw there is a --timeout flag in a fleetctl which is a nice feature. Is there anything similar in the WebUI. I've been running a simple query over 1389 hosts and under one minute 1386 of them returned results. Then the query runs forever I think (at least I have waited few mins before stopping this). What's the core of this problem. Could have this been mitigated in fleet or osquery ?
    z
    n
    • 3
    • 35
  • s

    Seth Hanford

    12/16/2020, 8:11 PM
    How do I use fleetctl as a single sign-on user? I’ve tried “fleetctl login” and supplied my email, but when it asks for password, I don’t have one to provide. I’ve tried pulling the API key from my profile on the GUI and supplying that, but it gets rejected as “The credentials supplied were invalid”
    z
    d
    • 3
    • 15
  • d

    Dan Achin

    12/16/2020, 10:03 PM
    Hi everyone. I have a question about fleet options. When setting an option in Fleet, does that override the local osquery client option that's set in the flags file? For example, if we have logger_plugin: tls at Fleet, but logger_plugin: tls,filesystem configured on our clients, which one 'wins'?
    g
    z
    s
    • 4
    • 29
  • g

    GitHub (Legacy)

    12/18/2020, 12:09 AM
    message has been deleted
    z
    n
    • 3
    • 2
  • g

    GitHub (Legacy)

    12/18/2020, 3:45 AM
    message has been deleted
    :ty: 1
    c
    • 2
    • 1
  • c

    CptOfEvilMinions

    12/18/2020, 6:04 PM
    Hey y’all, I am creating a blog post on: • Installing/setting up FleetDM manually on Ubuntu 20.04 • Installing/setting up FleetDM with an Ansible playbook • Installing/setting up FleetDM with Docker-compose v2.x, • Installing/setting up FleetDM with Docker swarm v3.X. • How to manually install Osquery on Windows and Ubuntu • How to install Osquery on endpoints with an Ansible playbook • Section on converting an Osquery query pack to the YAML format to upload to FleetDM with FleetCTL • Section on creating query pack via webgui • Section on running live queries with FleetCTL • Section on running live queries with web gui • Section on the new file carve feature in FleetDM In a thread below, please add any additional items I should cover in my blog post for first time FleetDM users.
    👍 3
    z
    m
    • 3
    • 19
  • a

    Ahmed

    12/18/2020, 6:20 PM
    API Documentation Format I noticed you currently use pure Markdown file for the API documentation, would it be okay to switch to OpenAPI format? There are a couple of reasons I think this would be a good move: • The format is almost a standard and can be parsed by a lot of tools which makes testing, and spinning mock servers much easier. • In case the API documentation will be added to the website or published a more structured format, doing that will be a simpler conversion or running it through a tool. • Easier to contribute to since there are many editors that simplify the process of adding new endpoints and request/response details. Do you think it will be okay if I switched to this format and sent my PR for the rest of the documentation in OpenAPI format?
    n
    • 2
    • 4
  • n

    nyanshak

    12/18/2020, 10:20 PM
    fleet carving feedback <thread>
    z
    • 2
    • 16
  • c

    Chris Reisor

    12/22/2020, 4:29 PM
    We are maxing out the 5351 mysql connections provided by our
    db.m4.4xlarge
    type host. Is that normal? Why are there so many database connections?
    z
    • 2
    • 7
  • c

    Chris Reisor

    12/22/2020, 4:30 PM
    Also, we are getting our pods evicted due to storage limits, caused by 21G
    /tmp/osquery_status
    files. My gut says this is related to the lack of database connections (like, osquery_status gets cleared when it gets written to the database, or something). Is that correct?
    z
    • 2
    • 2
  • c

    Chris Reisor

    12/23/2020, 9:42 PM
    message has been deleted
    z
    • 2
    • 7
  • j

    Juan Alvarez

    12/28/2020, 10:48 AM
    Hi guys, is there a way to configure the
    overrides
    section for all linux platforms? In example, i want to enable
    enable_syslog
    flag for all linux boxes, from what i see i need to have a section for ubuntu, rhel, centos... isnt it?
    n
    • 2
    • 3
  • d

    demonbhao

    01/04/2021, 10:13 AM
    Hello, may I ask if I deleted the pack pack on fleet UI, but the log of pack pack query will still be generated? What's the situation?
    n
    • 2
    • 11
  • w

    Wojtek

    01/05/2021, 8:45 PM
    Hello, when I am running distributed query on Fleet UI it completes and says some of the hosts failed. What does that exactly mean ? Is it possible to identify which hosts have failed ? Thanks
    z
    r
    • 3
    • 8
  • d

    Dan Achin

    01/06/2021, 8:17 PM
    hello fleet. Does anyone know how to delete users from Fleet? We recently stood up a new text env and when we went to invite someone, they get a message that their token was not found in the data store, so they can't accept the invite. We need to get this person setup but can't do it now because of the pending invite. We also need to understand what that token expired or didn't get set. Is this all stored in mysql? has anyone run into this before? We are using SSO via keycloak, not sure if that matters.
    n
    z
    • 3
    • 10
  • d

    demonbhao

    01/08/2021, 9:06 AM
    Hello, Fleet.I didn't have any certificates when I deployed Fleet. How can I use the generated certificates when I deploy a new set?
    z
    • 2
    • 12
  • z

    Zach Zeid

    01/08/2021, 5:15 PM
    is there any guidance on running fleet on k8s?
    n
    b
    • 3
    • 3
  • d

    Dan Achin

    01/11/2021, 7:28 PM
    Hey Fleet community. Is there a way to export the hosts out of Fleet in general, or for a specific label or labels? We are looking to try and audit what's registered vs what isn't and the way we have done that to date is to run a simple ad-hoc query and then export the results. That said, I routinely see these UI queries get stuck after completing on some # of hosts. I am theorizing that this is because some of the hosts are offline, but I don't know for sure. First question, is if there's a better way to export the clients and the follow up is what causes the ad-hoc queires to get stuck? I know that we can use the --exit flag with fleetctl and that skips offline hosts, but assume the UI doesn't do that. FYI, we are still on the last Kolide Fleet version so if any of the behavior has changed with what I'm going to ask about, let me know.
    z
    n
    • 3
    • 14
  • g

    grant seltzer

    01/11/2021, 8:45 PM
    That's how I have it and it's not working as expected (seems to be uuid by default)
    z
    • 2
    • 5
  • z

    Zach Zeid

    01/13/2021, 6:45 PM
    I'm looking at https://fleetdm.com/ and noticed it updated with two pricing models; is there a difference between
    Core
    and
    Basic
    ?
    m
    a
    • 3
    • 4
  • d

    Dan Achin

    01/13/2021, 6:59 PM
    hey everyone. we have the need to export pack config from one fleet env to another. I know Kolide had this tool - https://github.com/kolide/configimporter though as they have gotten out of the fleet biz, it's deprecated. The notes in the repo suggest using this script to convert the packs to yaml and then import them. Is this what people are doing, or does fleetdm have a tool (i couldn't find one)?
    g
    z
    • 3
    • 4
  • z

    zwass

    01/13/2021, 7:45 PM
    message has been deleted
    j
    c
    • 3
    • 10
Powered by Linen
Title
z

zwass

01/13/2021, 7:45 PM
message has been deleted
Launcher communicates over GRPC which uses HTTP/2 and is not always well supported by load balancers. Could this be the issue?
j

Justin Bowen

01/13/2021, 8:03 PM
https://aws.amazon.com/blogs/aws/new-application-load-balancer-support-for-end-to-end-http-2-and-grpc/
https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-http2
Figured id plop those here as I have ran into that issue before
:ty: 1
z

zwass

01/13/2021, 8:25 PM
@Carlo Miguel Cruz
c

Carlo Miguel Cruz

01/13/2021, 8:41 PM
Thanks for the info. We also tried using AWS ALB for HTTP2 and also with gRPC but we get the same error (
err":"enrolling host: transport error in enrollment: rpc error: code = Unavailable desc = unavailable"
) from launcher. The fleetdm web console also gets
HTTP error 502 Bad Gateway
on HTTP2. The web console gets
HTTP error 464
when we set the target group to gRPC. That is why we went back to using NLB.
We bumped fleetdm from 3.5.1 to 3.6.0 but we still get the same error.
z

zwass

01/13/2021, 10:00 PM
This seems almost certainly an LB problem
c

Carlo Miguel Cruz

01/14/2021, 5:20 AM
Most certainly that this is caused by the load balancer. We want to learn what network situations can cause the
rpc error: code = Unavailable desc = unavailable
so we can act on it. We are still investigating as well. Were there similar reports like this before?
Hi guys, we were only able to fix this issue by terminating TLS on the fleetdm server instead of the load balancer for the gRPC connections. I think this has to be documented as a requirement for fleetdm to be able to receive gRPC connections from launcher. Using
--insecure --insecure_transport
still did not allow gRPC to connect directly to the fleetdm server. So what we did for now is to terminate SSL on the application load balancer for the UI using AWS ACM. We used a separate network load balancer for the gRPC connection and just terminated the SSL directly on the fleetdm pods using a self-signed certificate. We have separate endpoints now for accessing the UI and for the gRPC connections. Thanks for helping us. I hope you may find our feedback useful as well. All the best!
View count: 2