hello Fleet. when doing a major version upgrade (3.1x) to 4.1x, is there anything else to follow other than this guide? https://fleetdm.com/docs/deploying/upgrading-fleet

🏗️ New commits pushed to Fleet »

odd question..we're trying to install fleet on Rocky Linux 8..and for some reason, it continually starts/stops without much other errors

See this

Apr 28 02:52:48 rockytest1 systemd[10220]: orbit.service: Failed to execute command: Permission denied
Apr 28 02:52:48 rockytest1 systemd[10220]: orbit.service: Failed at step EXEC spawning /var/lib/orbit/bin/orbit/orbit: Permission denied

Error: fleetctl login failed: login received status 401 Authentication failed: Authentication failed

Can anyone help me with this error ?

hello , trying to troubleshoot an error & make sense of it . We see the logs filled with

{"component":"http","err":"authentication error: invalid node key:

when checking the status , and in var/log/osquerywarning we see

Failed enrollment request to <https://osquey.net:8080/api/v1/osquery/enroll> (No node key returned from TLS enroll plugin)

i checked that we have the a enroll secret in the config files

and configured correctly

Hi everyone, I'm running into an issue where after installing the orbit package on a Linux machine, it wont show up in the fleet UI. I found that disabling SElinux fixes the issue but i was wondering if there was a fix without needing to disable SElinux.

🏗️ New commits pushed to Fleet »

Is there a way to automatically delete an offline host after X days of inactive? I do not see there is such a configuration in fleet configuration https://fleetdm.com/docs/deploying/configuration The use case is this. In our infra, all newly created hosts in OCI automatically install osquery agent and connect to our fleet server. However, when some hosts are terminated, these host still ghost in the fleet UI. The solution right now is we manually delete them, but it's not ideal.

🏗️ New commits pushed to Fleet »

Hi, when setting the filesystem​_enable​_log​_rotation variable to True, will Fleet generate a log.1 and log.2 file, or simply truncate the existing log file? As when truncating is used the total amount of log space required is minimal (500MB) but if files are generated with sequence numbers , we still need to manage the log space in a different way

We are getting empty snapshots for Evented tables like process_events, file_events in Security Onion Fleetdm. Can anyone suggest some solution?

I have a question: is it possible for osqueryd to register with two concurrent (but different!) fleetdm backends?

🏗️ New commits pushed to Fleet »

Hello everyone! Is it possible to increase logging verbosity for FleetDM to MySQL connections? Or may be some tips to check something? We still see such errors in our

journalctl -u fleetdm

log without exact understanding of reason:

May 06 10:24:55 fleet-01.test.tech fleet[3448836]: {"component":"http","err":"timestamp: 2022-05-06T10:24:48Z: error in query ingestion || timestamp: 2022-05-06T10:24:52Z: error in query ingestion || create transaction: timestamp: 2022-05-06T10:24:55Z: context canceled || save host with id 369: timestamp: 2022-05-06T10:24:55Z: context canceled","ingestion-err":"ingesting query users: update host users: create transaction: timestamp: 2022-05-06T10:24:52Z: context canceled","ip_addr":"172.10.11.10","level":"error","method":"POST","took":"22.51394562s","ts":"2022-05-06T10:24:55.778064954Z","uri":"/api/v1/osquery/distributed/write","x_for_ip_addr":"172.10.11.10"}
May 06 10:25:01 fleet-01.test.tech fleet[3448836]: {"component":"http","err":"timestamp: 2022-05-06T10:24:58Z: error in query ingestion || timestamp: 2022-05-06T10:25:01Z: error in query ingestion || timestamp: 2022-05-06T10:25:01Z: error in query ingestion || timestamp: 2022-05-06T10:25:01Z: error in query ingestion || timestamp: 2022-05-06T10:25:01Z: error in query ingestion || timestamp: 2022-05-06T10:25:01Z: error in query ingestion || getting app config: selecting app config: timestamp: 2022-05-06T10:25:01Z: context canceled","ingestion-err":"ingest detail query: selecting app config: timestamp: 2022-05-06T10:25:01Z: context canceled","ip_addr":"172.10.11.11","level":"error","method":"POST","took":"19.280912956s","ts":"2022-05-06T10:25:01.630667525Z","uri":"/api/v1/osquery/distributed/write","x_for_ip_addr":"172.10.11.11"}
May 06 10:25:03 fleet-01.test.tech fleet[3448836]: {"component":"http","err":"timestamp: 2022-05-06T10:24:58Z: error in query ingestion || create transaction: timestamp: 2022-05-06T10:25:03Z: context canceled || save host with id 403: timestamp: 2022-05-06T10:25:03Z: context canceled","ingestion-err":"ingesting query software_linux: update host software: insert software: timestamp: 2022-05-06T10:24:58Z: context canceled","ip_addr":"172.10.11.12","level":"error","method":"POST","took":"20.692362396s","ts":"2022-05-06T10:25:03.53958792Z","uri":"/api/v1/osquery/distributed/write","x_for_ip_addr":"172.10.11.12"}

We don’t see any errors or high load on MySQL. At the same time we started to see software inventory and vulnerabilities data. Visually it looks like this information is updated correctly according to intervals.

I think I may have found a bug: I'm trying to check when a host was last seen using the API. I tried doing a request to /api/v1/fleet/hosts/identifier/ and it returns the expected data but the seen_time field is always "0001-01-01T000000Z". Other API calls seem to return the correct value.

I'm running on "Fleet 4.11.0 • Go go1.17.7"

Hey team! I am trying to deploy Fleet to heroku… First, I am wondering, is this not recommended? I don’t see it mentioned in the docs but there are lots of other more-involved approaches.

I have the docker image deployed to a heroku, but I am stuck on getting the server app connected to mysql and redis. I am running

fleet prepare db

but the error

failed to start: creating db connection: default addr for network '<http://us-cdbr-east-05.cleadb.net/asdfasdfasdf|us-cdbr-east-05.cleadb.net/asdfasdfasdf>' unknown

. It seems to not know the URL for that db, but that’s the url provided by heroku in their server env variables.

🏗️ New commits pushed to Fleet »

Does the

FLEET_SERVER_CERT

config only accept paths to the cert? Does it also accept the full cert itself set in the ENV var? Heroku does not allow persist files in their directory I think, so it is not possible to put it into a path.

More broadly, what does that cert do? Is it going to be used to generate all the osqueryd installations and then that’s how they know they’re talking to the right counterpart?

Hey folks (<!here>), pleased to announce Fleet 4.14.0 🚀 Changes include: • Jira and Zendesk integrations for vulnerability notifications • Beta support for Fleet Desktop on Linux (it's now available in beta on macOS, Linux, and Windows!) • Last opened time for applications on macOS As usual, you can find binaries and the changelog at https://github.com/fleetdm/fleet/releases/tag/fleet-v4.14.0, and container images have been pushed to Docker Hub.

lol

of course I understand that windows 11 is 10.x but I think that is not a great way of saying it

Webhook out to somewhere on discovery of vulnerability

Sorry if this is covered elsewhere -- but how often are policies run (which are really just scheduled queries) - I seem to remember they are run hourly - is that right? I couldn't find it in the docs ....