🏗️ New commits pushed to Fleet »

Hello team! I'm not sure if this is the proper channel, but I'm getting the following error when trying to test

goquery

within `fleetctl`:

.connect: ScheduleQueryAndWait call failed: upgrade live query result websocket: websocket: bad handshake

I assume this is related to our infrastructure security controls regarding websocket routes. In my deployment I have to specify which routes are websockets (currently only

/api/v1/fleet/results

). So my real question is, what routes do I need to allow for Goquery to work properly? (If the issue is about that)

Appears that recent versions of fleetctl now enforce user password requirements, which I believe did not used to be the case. FleetDM currently requires min 12 chars + 1 number + 1 special. Is there any way to customize the user password requirements?

Complex passwords

(ie requiring mixed character types) as a security best practice has been deprecated in favor of minimum password length (as well as a few other controls) by NIST (see section 5.1.1.2 Memorized Secret Verifiers) and the wider InfoSec community for a few years now - and I would like to tweak the complexity requirements for my deployments to be more inline with this.

Hi there! I have a question about running differential queries in osquery and fleetdm. For example, when this type of query is run on a machine, where are the results saved for comparison? On the Osquery's or Fleetdm's side? I'm having a problem with a large amount of network consumption traffic (outbound and inbound) from fleetdm. Since I have a considerable amount of "Differential" queries, I think that the fleetdm could send the information back to the clients to get the differential value, and the clients send that information back. I found that my Fleetdm server is receiving 100GB of traffic data from agents, but only 20GB is logged in results.log and less in status.log. Thanks in advance,

Hi All, I’m exploring the API and have it running in Postman. All of the queries report exactly as described in the docs, except ‘List Queries’ ie.

GET /api/v1/fleet/queries

I’m actually receiving this response-

{
  "queries": []
}

I’m not sure how to troubleshoot this, any hints please?

Hello everyone! I have a few questions, I hope you can clarify some of them. Right now we are running Fleet in our private network and Fleet hostname is something like https://osquery.private.tech/, and we are using certificate from our private CA. We want to expose Fleet to the internet via load-balancer with different name in order to hide our company’s private naming, let’s say https://osquery.public.com. Load balancer proxies traffiс with public cert from Global Sign. Is is possible? And if yes what certificate and tls hostname should we pass to --tls_server_certs and --tls-hostname flags? Or we expose Fleet only with original hostname and we can’t change it on proxy side? Thanks!

🏗️ New commits pushed to Fleet »

Hey All, if we needed to sync packs between two different Fleet UIs what would be your recommendation? Script to do imports/exports?

Hey - I just rebooted my (M1) Mac, and now the fleet desktop app is crashing and respawning. Any logs I can check to see whats happening ?

Howdy, I wonder how this ‘Performance impact’ is determined (in scheduled queries)?

Hey <!here>, happy weekend 🍻 I'm excited to announce the release of Fleet 4.17.0. With this release, we are calling both Orbit and Fleet Desktop stable, we added battery health support for macOS, and made a ton of stability improvements and bugfixes. Full changelog: https://github.com/fleetdm/fleet/releases/tag/fleet-v4.17.0. I recommend you enjoy your beer and upgrade early next week, rather than late on a Friday 😉

Hello, we want to use Fleet Teams to segregate our customers. After we create a Fleet Team by API, how can we distribute the

team's enroll_secret

to installer? I’m looking for a way that can be done automatically without manually running again

fleetctl package

with the

team's enroll_secret

. I thought about having a universal installer WITHOUT enroll_secret. During the installation, it will ask Fleet server or one of our servers for the device’s actual team enroll_secret. Will that work? Any other better approaches?

Hi, I upgraded to 4.17.0 today, but since then I can’t get live queries to work, was there any major change I missed between v4.10.0 and v4.17.0?

Hi @here, a quick intro for the channel: I’m Alex and I’m onboarding at Fleet. I’m a former developer from a long time ago in a galaxy far, far away…gone to the dark side of sales kylo …working with @zwass and @mikermcneil to continue building up a Fleet premium offering to help those of you needing world-class support and enhanced feature sets as Fleet and osquery grow in importance to you and your organizations. Looking forward to working with and getting to know as many of you as possible.

Hello team! I'm having issues with updating a password-login user to an sso-login. When clicking on the "Enable single sign-on" box, the password box is available but empty, so the request sends the "password" field also empty and it fails. I remember that in previous versions of Fleet, when enabling the SSO option, the password field was disabled and not sent in the request. Is there any other way to enable the SSO to this user besides using the REST API?

https://osquery.slack.com/archives/C01DXJL16D8/p1657449130127469?thread_ts=1655819083.815489&amp;cid=C01DXJL16D8 can someone help me with that question, please?

Hey guys, I'm getting this error when I run a query on the signature table "constraint failed" the error from the log on my host shows Table signature was queried without a required column in the WHERE clause even though I have a column specified in the WHERE clause, any idea why it's happening ?

Hi all, does anyone have any experiencing with troubleshooting the SAML integration for SSO in Fleet? We’re getting the following error:

There was an error with single sign-on. Please contact your Fleet administrator.

The

journalctl

logs show:

fleet[4403]: level=error ts=2022-07-12T12:55:25.527528789Z component=http user=unauthenticated method=POST uri=/api/v1/fleet/sso/callback took=3.385322ms err="response validation failed: wrong audience:fleet"

Where would I find the logs for fleet logins, user creation, query creation, execution, etc? (to forward to a SIEM)

Hi everyone, is there a difference between Kolide Fleet and FleetDM? or are they the same thing?

Hi All 👋🏽 I’ve just joined fleet and looking forward to helping improve the product!

🏗️ New commits pushed to Fleet »

Hey all, Just updated fleet to 4.17.0, and having a problem with distributed queries. Im getting the following error:

{
  "component": "http",
  "err": "error in query ingestion",
  "ingestion-err": "campaign waiting for listener (please retry)",
  "ip_addr": "ENDPOINT-IP:41730",
  "level": "error",
  "method": "POST",
  "took": "1.136788ms",
  "ts": "2022-07-12T20:38:50.060101107Z",
  "uri": "/api/v1/osquery/distributed/write",
  "x_for_ip_addr": ""
}

Also getting (although not sure its related):

{
  "component": "http",
  "err": "read auth token: reading from websocket: sockjs: session not in open state",
  "msg": "failed to read auth token",
  "ts": "2022-07-12T20:37:57.77330272Z"
}

The problem appears to be the agent talking back to the fleet server, because I can see the query being run on the agent in debug mode. It just seems to fail when posting back the results. Agent is vanilla OSquery 5.1.0 This only started since I updated a few minutes ago from fleet 4.9.1

Hi! There have been some users with issues related to a proxy that doesn't allow websockets. Could this be a factor here? https://github.com/fleetdm/fleet/issues/6049

I dont think so....

forgive me, I'm feeling stupid - I can get a sandbox up and running fine, however I wanted to get a permanent install running, the documentation for "deploy to a server" looks a bit outdated (ubuntu 16) I think and talks about running "fleet prepare db" which doesnt even seem to be an option for fleetctl - any clues please ?

Up and running, thanks for the message

Seeing something unusual with live query export results. No matter how many results come back in a query when I export the results only a single item exists in the CSV. We're on 4.17.0 but not sure if this issue was present in previous versions. Anyone else seeing the same behavior?

hello, i want to ask, why i run query select * from process_events; , i recive Your live query returned no results. on os: ubuntu and centos,

Is there a way to load one of the packs from osquery into fleet without copy pasting each entry ?