Hello folks! @Noah Talerman just dropped our 3.7.0 release which is now available by all the usual channels -- binaries on GitHub, Docker containers, and

fleetctl

on npm. There's a fix for a low severity security vulnerability (https://github.com/fleetdm/fleet/security/advisories/GHSA-xwh8-9p3f-3x45) along with a sweet new host details page, live query error messages visible in the UI, and more. Check out the changelog (https://github.com/fleetdm/fleet/releases/tag/3.7.0) for full details. <!here>

@zwass and I just upgraded production to 3.6 last night…

@zwass what are the flags again for the TLS verbose mode when troubleshooting?

For me, the osquery clients continue to work fine, but I have Nginx sat in front of the web interface, and the problem is between Nginx and Fleet. When I downgraded the Fleet TLS to

intermediate

from

modern

it started working again.

server:
 	tls_compatibility: intermediate

In retrospect maybe I should have moved the default to

intermediate

? Penny for your thoughts... We could change that default for the next Fleet release.

I think we can leave it at Modern, but maybe a bit more notice as to what the change could bring, especially those using a proxy?

Hi, there's any way to export Query Packs (along with its queries) ?

I notice in the new 3.7.1 host details page it lists which enroll secret a host used. Is there a way to reference that in a label yet?

Hello, why is it that my online query on Fleet UI is not the same as my differential query?I ran a query on Fleet UI every half an hour and found no change, while using a differential query generated logs every half an hour

Hello, on Mac, there are 4 different way to get the "hostname" : HostName, LocalHostName, ComputerName (from

scutil

) and the one for NetBIOS. The NetBIOS name is a dynamic name that can change regarding the connected network. In our company, when a user is connected to our VPN, that NetBIOS name change and use the local IP adress, eg the name is

ip-192-168-1-17.eu-west-1.compute.internal

. In FleetUI, the hostname displayed is that name. I guess it comes from the field

hostname

of table

system_info

but for my usage I wanted to use the field

local_hostname

or

computer_name

. Is there a way to change this ? Otherwise I will open a feature request 🙂

Hello! Is it possible to reinitialize Fleet with DB without uninstalling? Maybe these is some kind of flush?

Anyone mind dropping some community packs/queries? Here are some links I have found that have syntax (good or bad lol): https://github.com/osquery/osquery/tree/master/packs https://resources.infosecinstitute.com/topic/threat-hunting-with-kolide-and-osquery/ https://github.com/palantir/osquery-configuration https://engineering.fb.com/2014/10/29/security/introducing-osquery/ https://www.alibabacloud.com/blog/server-endpoint-security-with-osquery_594950?spm=a2c41.13076147.0.0 https://github.com/teoseller/osquery-attck

Hi! The new “Errors” output when running a Live Query is very nice and helpful, but I was wondering if there was a way to export it, similarly to the “Results” table which is above it. It would make it easier to go through and identify the main errors when running against a large number of hosts.

How might I determine if an osqueryd is failing to enroll with fleet? I know I can check logs, but I'm trying to figure out a way to monitor all my hosts to ensure they're all enrolled and communicating with fleet? I was hoping there was an osquery table / field for this but I couldn't find anything that differed between one of my enrolled osqueryd hosts and one of the ones having issues.

Hi, wanting to set up a fleet container, i have this log. I bonded one port to :443

{
  "terminated": "listen tcp 0.0.0.0:443: bind: permission denied",
  "ts": "2021-02-08T14:56:39.536145305Z"
}

Does KOLIDE_FILESYSTEM_RESULT_LOG_FILE still working? My query packs doesn't log anything on filesystem

Which Interface does Fleet read when determining IPV4 Address on Host Info?

Hello! Can anybody tell me can i change certificate? now we have cn=ip but we need to use fqdn now.

Hello. I've installed osquery on one my host, i'm seeing tracking from the host to fleet host but fleet is not enrolling it. Any way to debug it?

Hello, I'm trying to run a couple differential packs in fleet and one of them is always returning with epoch and counter set to 0, could anyone take a look? Details in 🧵, please let me know if there's a more appropriate place to put this (github, diff slack channel, etc).

Hi all, I’ve just updated our Fleet server to the latest available and now see the attached when attempting to start the service. Running

prepare db

returns

migrations complete

but this continues to show in the logs. Any tips on how to resolve, please?

FYI 3.7.4 is a

fleetctl

-only release that includes fixes to the

fleetctl preview

experience. Most folks in this channel will have no reason to upgrade.

Hi guys, wondering if anyone has run into this while configuring tls for mysql.

Feb 15 21:50:44 <ec2> systemd[1]: Started Kolide Fleet.
Feb 15 21:50:44 <ec2> fleet[10720]: Using config file:  /etc/kolide/fleet.yml
Feb 15 21:50:44 <ec2> fleet[10720]: Error initializing datastore: register TLS config for mysql: register mysql tls config: key 'true' is reserved
Feb 15 21:50:44 <ec2?Feb 15 21:50:44 osquery-service-><http://ab251.ec2.vzbuilders.com|ab251.ec2.vzbuilders.com> systemd[1]: Unit fleet.service entered failed state.
Feb 15 21:50:44 <ec2> systemd[1]: fleet.service failed.

It looks like it hates the key true, however from the documentation:

mysql_tls_config
The tls value in a MYSQL DSN. Can be true,false,skip-verify or the CN value of the certificate.
Default value: none
Environment variable: FLEET_MYSQL_TLS_CONFIG
Config file format:
 mysql:
 	tls_config: true

Anyone currently using TLS for Fleet's MySQL connection? Can you show us how you are configuring that in Fleet?

Will there be a flat-fee "support" plan available to fund development? I don't want to use any proprietary features so the per-device tier doesn't fit our approach. I tried getting money set aside to fund development of features, but that was more difficult than I expected internally, but since I have no plans to open any support tickets I was wondering if that would be a good way to dedicate some of our department's budget. Companies seem to be happy to pay for support contracts, but development is scarier to them for whatever reason.

is there any way to turn off the /metrics endpoint? we don't want that data exposed, and it's available without going through SSO

Am I correct in thinking that adding MacOS host to Fleet requires a TLS Cert trusted by the Mac, regardless of if it’s build with the launcher or otherwise?

the database only has a scheduled_queries table (not a table called sq) and the container has been running for 17d so that should rule out any changed / updated image being pulled and run

Hello, i have no access to one on my hosts deployed with kolide launcher. I need to debug it because it's not enrolling to fleet. I have enabled verbose and tls flags. Do i need to debug it from fleet or from the hosts logs?

[10:30 PM] LP process_cpu_seconds_total Total user and system CPU time spent in seconds.
# TYPE process_cpu_seconds_total counter
process_cpu_seconds_total 6737.64
# HELP process_max_fds Maximum number of open file descriptors.
# TYPE process_max_fds gauge
process_max_fds 1.024e+06
# HELP process_open_fds Number of open file descriptors.
# TYPE process_open_fds gauge
process_open_fds 57
# HELP process_resident_memory_bytes Resident memory size in bytes.
# TYPE process_resident_memory_bytes gauge
process_resident_memory_bytes 7.098368e+07
# HELP process_start_time_seconds Start time of the process since unix epoch in seconds.
# TYPE process_start_time_seconds gauge
process_start_time_seconds 1.61130246694e+09
# HELP process_virtual_memory_bytes Virtual memory size in bytes.
# TYPE process_virtual_memory_bytes gauge
process_virtual_memory_bytes 7.47896832e+08
# HELP process_virtual_memory_max_bytes Maximum amount of virtual memory available in bytes.
# TYPE process_virtual_memory_max_bytes gauge
process_virtual_memory_max_bytes -1
# HELP promhttp_metric_handler_requests_in_flight Current number of scrapes being served.
# TYPE promhttp_metric_handler_requests_in_flight gauge
promhttp_metric_handler_requests_in_flight 1
# HELP promhttp_metric_handler_requests_total Total number of scrapes by HTTP status code.
# TYPE promhttp_metric_handler_requests_total counter
promhttp_metric_handler_requests_total{code="200"} 8
promhttp_metric_handler_requests_total{code="500"} 0
promhttp_metric_handler_requests_total{code="503"} 0

This information is available without logging to the fleet . Any suggestion , how to fix this . Is there any config option available to bar from revailing this information to attackers.