i keep getting this log in my osquery-status-archive file: {“hostIdentifier”:“******,“calendarTime”:“Tue Oct 4 205305 2022 UTC”,“unixTime”:“1664916785",“severity”:“1",“filename”“options.cpp”,“line”“106",“message”:“The CLI only flag --carver_continue_endpoint set via config file will be ignored, please use a flagfile or pass it to the process at startup”,“version”:“5.5.1",“decorations”{“host uuid”“*--51C8--*“,”hostname”:“ti*****.local”}} how do i fix it or stop it from writing?

Also how would i just get the logs/results from the queries i have created.

++adding to that one of my instance went down because it ran out of memory, how do i setup auto deleting of old logs

Hi fleet team, where we can find the api doc of fleet.

anyone could help https://osquery.slack.com/archives/C01DXJL16D8/p1665116312383089

curious: I created a policy and now i want to see how many of my hosts are failing it? is there a way i can run a query and get the results directly? is it saved in any table which fleet can query?

What's the correct way to set osquery's

config_refresh

via the agent options? Started to get

Could not update settings. common config: json: unknown field "config_refresh"

with the latest version even though it's a valid option based on https://osquery.readthedocs.io/en/stable/installation/cli-flags/#configuration-control-flags

When writing a "pack" SQL can target the

platform:

though I wonder if there's any further more granular level filtering that could be applied, for example; Alice 's machine - creates secrets to share with Bob; I'd like to author a query to check for the presence of Bob's pubkey, it would make sense for this to only be run on Alice's machine. I am not sure if it is at all possible to apply filtering / targeting more granular than the OS in such packs?

From another perspective, this could be useful in DFIR cases, to target response "packs" at only the systems in scope of the incident being investigated.

is it possible to not configure the deb linux installer (using fleetctl) with the enroll secret? Im looking to make the deb installer publicly available (i.e. s3 bucket) and would prefer to not open that to malicious actors

Hi fleet team, if i want to use redis cluster instead of standalone service, is the cfg same between them?

Hi Fleet team, if i need ssl to connect mysql of fleet, how to set the ssl info like cert, key when preparing the db? /usr/bin/fleet prepare db \ --mysql_address=[mysql_ip_address]:3306 \ --mysql_database=XXXX \ --mysql_username=XXXX \ --mysql_password=XXXX this is the current cmd we using. should i add ssl info like /usr/bin/fleet prepare db \ --mysql_address=[mysql_ip_address]:3306 \ --mysql_database=fleet \ --mysql_username=root \ --mysql_password=admin --mysql​_tls​_cert=XXX --mysql_tls_key=XXX --mysql​_tls​_server​_name=XXX ?

Hi everyone, I have recently upgrade Fleet to version v4.21 from v4.0 . I would like to enable Software inventory for Vulnerability management, But I does seems to know where to add the Configuration options form this guide. Do I also need to create a new file/ directory where the data feeds will be downloaded? Thanks in advance

Greetings! Looking into what it would take to use native osqueryd binaries with FleetDM - https://fleetdm.com/docs/using-fleet/adding-hosts#plain-osquery According to the FleetDM docs:

Configuring osqueryd to communicate with Fleet is documented below in the "Native Osquery TLS Plugins" section.

But, there is no

Native Osquery TLS Plugins

section

huh, going back in the git history, looks like that actual section was named that: https://github.com/fleetdm/fleet/blob/981028705e992ef32ee7f26ec190ef9cddbad1aa/docs/01-Using-Fleet/04-Adding-hosts.md#native-osquery-tls-plugins

Hi Fleet team, does fleet upgrade enrolled hosts with osquery automatically?

Hi Fleet team, table app_config_json in fleet db is actually the cfg of enrolled running osquery, right? each host will read this from fleet frequently.

and one more question, if there is any duplicated cfg here to flag file of agent side, which cfg would work?

Hi everyone, i'm currently investigating a reason for an excessive memory utilization coming from Fleet and i was wondering where i can find the logs. It doesn't seem to be in /var/log

Hi fleet team, plz help https://osquery.slack.com/archives/C01DXJL16D8/p1665633027081359

Hello, our Fleet service keeps killing itself after starting the service and rebooting the server. We are thinking the issue is memory utilization. We increased the overall RAM on the server. Does FFleet use JVM or some thing else we can configure the min & max memory of? We think the min (jxs) might be set to the max RAM, but we don't know where those settings would be. Thank you

hi fleet team, how can i know the options i change in ui is pushed to agent side?

any update

Hey y'all! As I'm sure you're aware, Slack has been a bit of a pain today and I may well have dropped a ball or two here and there. I'll be taking a quick run through the threads in the morning when things are hopefully back in working order, but don't hesitate to ping me as well!

Does the sftware inventory removed the older version when the system has updated it to new one? i am seeing in my machine that both versions are installed: so fleets take the data that new version is installed but dosent update the software inventory that older was removed. check the zoom.us.app it says there are both versions

Hello, I’m trying to set up SSO with Okta but receiving the following error. I also tried clicking on “Sign in with Okta” and it doesn’t take me anywhere.

Hi fleet team, i found recently after we cleaned up orbit and running osquery as system daemon service, but agent still has this in the dump log: Oct 14 220422 n121-038-121 osqueryd[563006]: I1014 220422.862608 563137 tls.cpp:255] TLS/HTTPS POST request to URI: https://XXXX.XXX.XXX/api/v1/osquery/distributed/read Oct 14 220422 n121-038-121 osqueryd[563006]: {"node_key":"RnxiqtnNMV2ukNQlWrNtcy8m5f0DfvBP"} Oct 14 220422 n121-038-121 osqueryd[563006]: { Oct 14 220422 n121-038-121 osqueryd[563006]: "queries": { Oct 14 220422 n121-038-121 osqueryd[563006]: "fleet_detail_query_orbit_info": "SELECT * FROM orbit_info" Oct 14 220422 n121-038-121 osqueryd[563006]: }, Oct 14 220422 n121-038-121 osqueryd[563006]: "discovery": { Oct 14 220422 n121-038-121 osqueryd[563006]: "fleet_detail_query_orbit_info": "SELECT 1 FROM osquery_registry WHERE active = true AND registry = 'table' AND name = 'orbit_info';" Oct 14 220422 n121-038-121 osqueryd[563006]: } Oct 14 220422 n121-038-121 osqueryd[563006]: } Oct 14 220422 n121-038-121 osqueryd[563006]: I1014 220422.874121 563137 distributed.cpp:131] Executing distributed query: fleet_detail_query_orbit_info: SELECT * FROM orbit_info Oct 14 220422 n121-038-121 osqueryd[563006]: E1014 220422.874183 563137 distributed.cpp:145] Error executing distributed query: fleet_detail_query_orbit_info: no such table: orbit_info Oct 14 220422 n121-038-121 osqueryd[563006]: I1014 220422.874310 563137 tls.cpp:255] TLS/HTTPS POST request to URI: https://XXXXapi/v1/osquery/distributed/write Oct 14 220422 n121-038-121 osqueryd[563006]: {"queries":{"fleet_detail_query_orbit_info":[]},"statuses":{"fleet_detail_query_orbit_info":1},"messages":{"fleet_detail_query_orbit_info":"no such table: orbit_info"},"node_key":"RnxiqtnNMV2ukNQlWrNtcy8m5f0DfvBP"} why the agent keeps got this from fleet? it is not supposed to happen if we remove orbit, right?

hi all - anyone have some advice for me to get our brand new fleetdm working? It was working with the self signed certs - but I tried to extract the crt and key files from a wildcard pfx we use - I added those to the fleet.service file - and now when I start up fleet, I get a series of "Authentication required","internal":"Authentication error: invalid device authentication token. As well as a 2nd error repeating "TLS handshake error from (localhost IP address): remote error: tls bad certificate" I've tried to install the .deb file on my Ubuntu server (host) as well as one windows host so far - using the default pre-built "Add Hosts" statements using the Fleet-Desktop option for Orbit.

I am using fleet 4.9.1 when I press on the queries bottom at the web ui my fleet ui get stuck for something like 8 seconds. do you have any evidence that update will solve the problem?

Hi, it's me again from https://osquery.slack.com/archives/C01DXJL16D8/p1665682341784749 We rollbacked our db to ensure the db was not causing the issue - it was not. I upgrade our PR fleet server to 4.21.0. No errors when running

systemctl status fleet.service

after upgrading from 4.17.0 to 4.21.0. The OSquery web UI was even working briefly after the upgrade! However, the fleet service continues to use up all memory on server until it kills itself. I don't know what to do next! This issue is not happening in our NP environment and they have almost identical hosts and queries on both