and what is the .fleet/config file for?

I'm running Ubuntu 20.04 and latest install method of docker which includes docker-compose... I'm getting this upon fleetctl install. Can anyone help me? root@testmachine:/home/user1# npm install -g fleetctl /usr/local/bin/fleetctl -> /usr/local/lib/node_modules/fleetctl/run.js + fleetctl@4.14.0 updated 1 package in 3.07s root@testmachine:/home/user1# fleetctl preview Installing fleetctl v4.14.0... Install completed. Error: Docker Compose is required for the fleetctl preview experience. Please install Docker Compose (https://docs.docker.com/compose/install/). root@testmachine:/home/user1# More info: root@testmachine:/home/user1# docker version Client: Docker Engine - Community Version: 20.10.16 API version: 1.41 Go version: go1.17.10 Git commit: aa7e414 Built: Thu May 12 091723 2022 OS/Arch: linux/amd64 Context: default Experimental: true Server: Docker Engine - Community Engine: Version: 20.10.16 API version: 1.41 (minimum version 1.12) Go version: go1.17.10 Git commit: f756502 Built: Thu May 12 091528 2022 OS/Arch: linux/amd64 Experimental: false containerd: Version: 1.6.4 GitCommit: 212e8b6fa2f44b9c21b2798135fc6fb7c53efc16 runc: Version: 1.1.1 GitCommit: v1.1.1-0-g52de29d docker-init: Version: 0.19.0 GitCommit: de40ad0 root@testmachine:/home/user1# docker-compose version -bash: /usr/bin/docker-compose: No such file or directory root@testmachine:/home/user1# docker compose version Docker Compose version v2.5.0

when i run the fleet service as systemd, should i do the fleet serve command also?

🏗️ New commits pushed to Fleet »

Is there a way to use a previous hosted zone in Route 53 for the terraform build? Running

terraform apply

creates a new hosted zone for us but we already have one with a cert provided by ACM. I am following the guide here: https://fleetdm.com/guides/deploying-fleet-on-aws-with-terraform

im running a script with fleet rest api and when i run the query i get an error 'new query: Query 0 already exists in datastore' do you know what this error mean?

Hi guys! Could you please give some advices how to securely open fleet access for osquery from internet?

Does

fleetctl package

when run always packages the latest osquery from the internet?

Hello team! Do the api routes

/api/v1/osquery

and

/api/v1/fleet

still exist in Fleet v4.14.0? Or the 'v1' path is no longer needed?

After exploring fleet with

fleetctl preview

I want to install

fleet

on a public node with

docker-compose

using

traefic

to provide the

HTTPs

cert via

letsencrypt

. Is there any example / guide available which I can use as a template?

🏗️ New commits pushed to Fleet »

re: fleet policy automations, does it ping the webhook each time it checks and a host fails a policy, or does it only do it once per host per policy? e.g. if someone is failing a policy for a week straight, how many times will the webhook get pinged for that specific device?

Somehow unable to install fleet osquery on some machines. Even admin user gets the below error after 30 or so seconds. Anyone ever a faced similar issue? (In another machine where the fleet osquery is installed already but not running, if you try to start it, it does not start and fails after 30 or so seconds. ) . More context: It was previously installed in the machine and was working fine, recently had to uninstall it for some reason and now when trying to install it, it just won't budge.

Aside from the ease of installation, is there any benefit to running the fleet agent vs stock osquery? Anyone have an example of using the secret & flagfile in the osquery systemd unit?

My software section is not populated, it says: Try again in about 1 hour as the system catches up. But even after over 12 hours I still get the same message and no data. Do I need to enable anything special to get the installed packages reported?

Basic question: is there a way in the webui to tell which version of Fleet I’m on?

Hi everyone, has anyone run into an issue with MySQL XA Crash recovery loop? Most answers I have found seem to revolve around Memory exhaustion but I do have plenty of memory on the server

I have also checked the integrity of the fleet idb files and they checkout for crc32

now that I say that I will go check the other ibd files too...

I’m trying to run fleet behind an AWS ALB, with fleet running without TLS on port 80. The interface works, but I cannot add hosts using osquery. I’ve tried via systemd, after placing the flags, secret and certificate files in

/etc/osquery

, and I’ve tried the direct osqueryd while in that etc directory. Neither work. The first - systemd - has no enrolment logs at all in the journal entries. The second - direct - has a json error, which I’m failing to work out

W0527 13:10:57.324188 1032001 tls_enroll.cpp:101] Failed enrollment request to <https://fleetpoc.avnsec.com/api/latest/osquery/enroll> (Cannot parse JSON: The document root must not be followed by other values. Offset: 4) retrying...

Any tips? I also wonder - is the pem file needed, as it is using a valid ACM certificate on the ALB.

Hey yall I got a question, I keep on getting this error message anytime I try to add an arbitrary client to the main server.

W0528 16:25:28.241241 12361 tls_enroll.cpp:101] Failed enrollment request to <https://fleet.freddyal.com:443/api/osquery/enroll> (Request error: Failed to connect to <http://fleet.freddyal.com:443|fleet.freddyal.com:443>: Connection timed out) retrying...

FWIW I do have firewalld enabled on the client that I am trying to enroll it on.

Surprisingly I was able to enroll the server and my local workstation but I can't seem to add other clients.

🏗️ New commits pushed to Fleet »

Hi all, How do the community handle FleetDM outages? Lets think in the following scenario: A deployment of 1500~2000 endpoints where we are capturing evented tables (i.e: syslog_events, windows_events). Endpoints have a reasonable activity, lets say 20 events every 5 seconds. In our case, we send the data via

tls

from osquery to FleetDM. In FleetDM, we do some transformations to the message (since we cant get osquery data "as is" in the SIEM side) and forward the data up to our SIEM. For some reason (Fleet is down, connectivity issues...) osquery cant send data to FleetDM, so it will start buffering the data. After some hours, the FleetDM server is healthy or reachable again, and all the agents starts sending all the data at once. In our case, a deployment of 1500~ agents with a reasonable amount of activity, will cause the FleetDM server to be overwhelmed (CPU 100%) when every endpoint start to send all the buffered data. This ends up in memory usage and fds piling up and eventually the box becomes unusable. I wonder how people handle these kind of scenarios and if there is a good way to solve this problem. We can always increase Fleet HW specs or add nodes, but if we do so the CPU usage during normal behavior is too low and it seems like a waste of resources. I have tried to reduce

buffered_log_max

to 1000 to see if a lower amount of buffered events help to solve the issue, but i still find the same behavior. Any ideas and/or advices are appreciated. Thanks!

hi everyone if I want to upgrade my fleet version from 3.5.1, what is the version that you recommend to upgrade?

when do i upgrade my fleet, should i do prepere db again?

where is the documentation for schedule queries at fleet?

What in the sweet baby jesus is going on here?