https://github.com/osquery/osquery logo
Powered by
#fleet
  • h

    Harrison

    10/31/2022, 7:41 PM
    Hi team. Any guidance on restricting the 
    orbit
    Login Item from tampering in Ventura? To be more specific, I can control this through MDM but not sure what Identifier Type is best to use. I was going to take a stab at it with it Label Prefix: 
    com.fleetdm.orbit
    s
    m
    • 3
    • 6
  • o

    Ojas

    11/01/2022, 7:06 AM
    Hey Guys As you might be already aware, Openssl 3.0.7 which is the patch for the vulnerable 3.0.x version will be dropped today between 1:00-5PM UTC. Just checking if fleet has it and if so any ETA for new patched version release?
    s
    • 2
    • 2
  • r

    Raghavendra Hiremath

    11/02/2022, 4:49 AM
    Hi Team, can anyone help me out in setting up TLS? I am trying out fleet on AWS Instance
    Copy code
    openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
  -keyout /tmp/server.key -out /tmp/server.cert -subj "/CN=SERVER_NAME" \
  -addext "subjectAltName=DNS:SERVER_NAME"
    k
    • 2
    • 5
  • m

    MChorfa

    11/02/2022, 12:59 PM
    Copy code
    mchorfa@mchorfa-linux-02:~/tmp$ sudo dpkg  --install fleet-osquery_1.3.0_amd64.deb
(Reading database ... 447044 files and directories currently installed.)
Preparing to unpack fleet-osquery_1.3.0_amd64.deb ...
Failed to stop orbit.service: Unit orbit.service not loaded.
Failed to disable unit: Unit file orbit.service does not exist.
Unpacking fleet-osquery (1.3.0) over (1.3.0) ...
Setting up fleet-osquery (1.3.0) ...
Failed to restart orbit.service: Unit orbit.service not found.
dpkg: error processing package fleet-osquery (--install):
 installed fleet-osquery package post-installation script subprocess returned error exit status 5
Errors were encountered while processing:
 fleet-osquery
    k
    • 2
    • 20
  • p

    peanut butter

    11/04/2022, 3:48 PM
  • j

    jimmy

    11/08/2022, 9:01 AM
    https://osquery.slack.com/archives/C01DXJL16D8/p1667576895324369 I work with peanut butter, when I look at logs osquery it is written that failed to get YARA rule: "https://....."
    • 1
    • 1
  • j

    jimmy

    11/09/2022, 9:02 AM
    https://osquery.slack.com/archives/C01DXJL16D8/p1667898118035939 I'm sorry for bothering you again but maybe someone can help me with this please?
  • a

    Arsenio

    11/09/2022, 5:54 PM
    Hello testing the file carving functionality. We have the carves going to an S3 bucket but the few I have tested return as 1KB in size. Are there agent option we have to enable?
    Copy code
    config:
  options:
    logger_plugin: tls
    pack_delimiter: /
    logger_tls_period: 10
    distributed_plugin: tls
    disable_distributed: false
    logger_tls_endpoint: /api/osquery/log
    distributed_interval: 10
    distributed_tls_max_attempts: 3
  decorators:
    load:
      - SELECT uuid AS host_uuid FROM system_info;
      - SELECT hostname AS hostname FROM system_info;
command_line_flags: {} # requires Fleet's osquery installer
    This is the default we have.
    b
    k
    • 3
    • 8
  • t

    Tiernan

    11/10/2022, 8:19 AM
    Hi Folks 👋 Does it matter where FleetDesktop is installed on a Mac. I am planning on deploying the install via a script & need to specify the target location. Do i need to use a specific location or can I choose where to put it?
    • 1
    • 2
  • n

    nick fury

    11/10/2022, 1:29 PM
    how can I configure the time of the osquery agents at fleet to expire
    j
    k
    • 3
    • 4
  • j

    jimmy

    11/11/2022, 12:29 PM
  • p

    PJ Meyer

    11/11/2022, 5:22 PM
    hey all 👋 i’m running fleet on k8s, with a managed GCP mysql server. does anyone have recommendations on whether it’s better to run a managed redis service (on GCP), or as a sidecar container within the k8s deployment? also, what are the typical redis requirements, like 5, 10, 25GB?
    b
    • 2
    • 14
  • w

    wennan.he

    11/12/2022, 1:48 AM
    Hi Fleet team, in which situation will make all the hosts trying to pull config, i c there is traffic of /api/v1/osquery/config rushing in which is also shown in the below screenshot. we have around 12K hosts, and it has more than 100K calls in an hr with /api/v1/osquery/config.
    z
    • 2
    • 2
  • t

    Terje Kvernes

    11/12/2022, 1:01 PM
    Hi all, I recently installed fleet 4.22.1 and created an rpm that I tested on two clients. The UI itself works well and the clients report in, but when I try to run a query, I get:
    Copy code
    Nov 12 13:52:57 [...] fleet[79831]: {"component":"http","err":"read auth token: reading from websocket: sockjs: session not in open state","msg":"failed to read >
Nov 12 13:53:00 [...] fleet[79831]: {"component":"http","err":"error in query ingestion","ingestion-err":"campaign waiting for listener (please retry)","ip_addr">
    The setup is fleet listening on localhost:8080 and nginx acting as a proxy to serve fleet on *:443. Serving the UI works well, and I have attempted to serve the API specifically via
    Copy code
    location ~/api/v1/osquery {
    grpc_pass <grpcs://127.0.0.1:8080>;
    grpc_set_header Host $host;
    grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_buffering off;
    access_log /var/log/nginx/api.fleetdm.com_access.log;
    error_log /var/log/nginx/api.fleetdm.com_error.log;
 }
    And the access logs suggest everything works fine:
    Copy code
    2001:[...] - - [12/Nov/2022:13:58:57 +0100] "POST /api/v1/osquery/config HTTP/2.0" 200 472 "-" "osquery/5.5.1"
2001:[...] - - [12/Nov/2022:13:59:02 +0100] "POST /api/v1/osquery/distributed/read HTTP/2.0" 200 39 "-" "osquery/5.5.1"
2001:[...] - - [12/Nov/2022:13:59:06 +0100] "POST /api/v1/osquery/distributed/read HTTP/2.0" 200 39 "-" "osquery/5.5.1"
    It is worth noting that the clients are dual stack and the infrastructure runs primarily over IPv6. I am not sure how to debug the report that websocket not being in "an open state". Is there anything in particular I should be looking for/at?
    b
    m
    • 3
    • 15
  • t

    Terje Kvernes

    11/12/2022, 1:24 PM
    Also, I am seeing this in the UI:
    Copy code
    Private IP address
129.240.X.Y
Public IP address
127.0.0.1
  • t

    Terje Kvernes

    11/13/2022, 8:31 AM
    @Eric Shaw https://fleetdm.com/guides/how-to-uninstall-osquery may need updating, For mac, when I created my package, the name was no longer 
    io.osquery.agent
    but instead 
    com.fleetdm.orbit
    .
    k
    • 2
    • 2
  • j

    jimmy

    11/14/2022, 11:15 AM
    what can I do if am locked outside of fleet web ui, and I don't know the password and my email is not configured
    k
    • 2
    • 6
  • a

    alessandrogario

    11/14/2022, 1:32 PM
  • j

    Jincheng Yin

    11/14/2022, 4:24 PM
    Hi team, quick question, where are the server Queries and schedules stored? In DB or server filesystem?
    k
    • 2
    • 2
  • n

    nick fury

    11/14/2022, 8:16 PM
  • r

    Reza Kazemy

    11/15/2022, 5:16 AM
    Hello. I am trying to use fleetDM with Nginx and docker Deployment. Are there any APIs for the first setup on the Fleet project? I check the network section and there is one route which is /api/v1/setup but it is not going to work for me on postman or anything else.
    k
    • 2
    • 4
  • w

    wennan.he

    11/16/2022, 1:25 AM
    Hi fleet team, does FLEET_FILESYSTEM_ENABLE_LOG_ROTATION=true work on syslog generated by fleet service?
  • z

    zwass

    11/16/2022, 4:00 PM
    <!here> I'm excited to announce Fleet 4.23.0 🚀 Headline features are seeing inherited policies for hosts on a team (Fleet Premium), public/private IP address distinction in the host list view, and disk encryption status on the details page. As usual there are a bunch more improvements and bugfixes. More details at https://fleetdm.com/releases/fleet-4.23.0, and binaries/containers are available in the usual places. Enjoy!
  • r

    Ryan

    11/16/2022, 5:18 PM
    Hi Fleet peeps! I spotted after upgrading to Fleet 4.22.1 that our custom osquery extension (which provides a new virtual table called 
    de_metadata
    ) stopped working, in queries where we try to use it, we get an error 
    vtable constructor failed: de_metadata
    Is there a known issue with custom extensions for osquery? We’re using osquery 5.3.0.
    k
    z
    • 3
    • 7
  • s

    Slackbot

    11/17/2022, 12:13 AM
    This message was deleted.
    z
    • 2
    • 1
  • w

    wennan.he

    11/17/2022, 6:41 PM
  • g

    Gabriel Artico

    11/17/2022, 6:49 PM
    Hello, today my fleet stop working, can anyone help me with this error? I'm using fleet with AWS ECS, with fargate service
    b
    • 2
    • 5
  • j

    Jesus Santos

    11/17/2022, 7:23 PM
    Hey fleet people, wanted to make sure my understanding is correct. I know that internally, you use discovery queries for OS detection, however, this option is not present for users with their own packs, is that correct? I tried 
    fleetctl convert
    on a pack which had it, and the discovery part was just not added to the converted file.
    z
    • 2
    • 3
  • r

    Rofl

    11/18/2022, 9:01 AM
    how am i able to build msi and macosx from linux with fleetctl?
  • r

    Rofl

    11/18/2022, 9:02 AM
    Copy code
    $ fleetctl package --type=pkg --fleet-url=<https://X> --enroll-secret=X
Generating your osquery installer...
Unable to find path: /root/root
Error: build pkg: mkbom: exit status 1
    j
    b
    +2
    • 5
    • 16
1...474849...67Latest