Hi Team, Newbie here, wanted to know Fleet server is Stateful Application or stateless application?

someone could help? https://osquery.slack.com/archives/C01DXJL16D8/p1676076744789939

Hey all, how are you doing? I have a load balancer in front of our Fleet instance. In LB, we plan to filter all non-osquery connections. For example: allow just

/API/v1/osquery/*

. Other requests will go through a filter. The idea is to filter who can access the fleet api and FleetUI. Does that make sense to you? Tks.

i am running a query to get airdrop details from mac but i am getting an error: query : SELECT * FROM unified_log where process=“sharingd” and category=“AirDrop” and message like “Start transaction to%“; error: distributed query is denylisted i see in older questions that it was resolved by updating but i already updated to latest fleet and still facing issues

Hi, i had a quick questions about Packs, it looks like in version v4.27.0 the pack menu is no longer reachable in the Fleet UI, i do see this ticket about removing packs from the UI https://github.com/fleetdm/fleet/issues/8887, but afaik based on the release notes packs werent mentioned as being deprecated or removed and while i can still access packs via the URI its not really the best usability wise

🏗️ New commits pushed to Fleet »

Hi guys, how are you? I hope everything is well! I'm using Free Fleet solution, on the ECS AWS service and some days ago I start to receive the message of erro from Orbit. Anyone have this same kind of message? Thank you guys!

{
  "component": "http",
  "err": ": Authentication required",
  "internal": "authentication error: invalid orbit node key",
  "level": "info",
  "path": "/api/fleet/orbit/config",
  "ts": "2023-02-15T12:16:08.980611594Z"
}

Good morning! Are there any disk space recommendations for a newly created Fleet server? I see CPU/Memory recommendations here https://fleetdm.com/docs/deploying/reference-architectures#database-ha - but nothing regarding disk space.

Hello! I would like to setup Mac (darwin) File Integrity Monitoring and because of that I changed the Agent options in fleet to this:

config:
  options:
    pack_delimiter: /
    logger_tls_period: 10
    distributed_plugin: tls
    disable_distributed: false
    logger_tls_endpoint: /api/osquery/log
    distributed_interval: 10
    distributed_tls_max_attempts: 3
  decorators:
    load:
      - SELECT uuid AS host_uuid FROM system_info;
      - SELECT hostname AS hostname FROM system_info;
overrides:
  platforms:
    darwin:
      options:
        disable_audit: false
        disable_events: false
      file_paths:
        etc:
          - /etc/%%
        homes:
          - /Volumes/%%
        users:
          - /Users/%/Library/%%
          - /Users/%/Documents/%%
command_line_flags: {} # requires Fleet's osquery installer

Hello, I'm wondering if anyone knows were to begin to troubleshoot this issue. The dashboard is showing operating systems last updated 2 months ago. Not sure why this is no longer updating. Is there some kind of remote website that it has to reach to get this data?

Hello! I am trying to pull safari extensions using the query you have on your site, but it returns nothing. Is this out of date?

SELECT safari_extensions.* FROM users join safari_extensions USING (uid);

Hey Team, I am getting too much of these logs & even after updating to latest version i am still able to see alot of hosts are offline and i dont see anylogs which provide reason for that:

Good morning afternoon, I am having an issue where these 6 empty hosts keep re-enrolling themselves with no data. I have tired deleting through the Fleet UI and the API, but they keep coming back. I have tried sifting through logs and the only useful information I can find is a generic error stating

Authentication required

. I pulled this via the API using the

/debug

endpoint:

{
  "count": 1353044,
  "chain": [
    {
      "message": "Authentication required"
    },
    {
      "data": {
        "timestamp": "2023-02-16T11:39:00-05:00"
      },
      "stack": [
        "<http://github.com/fleetdm/fleet/v4/server/service.(*Service).AuthenticateOrbitHost|github.com/fleetdm/fleet/v4/server/service.(*Service).AuthenticateOrbitHost> (orbit.go:91)",
        "<http://github.com/fleetdm/fleet/v4/server/service.authenticatedOrbitHost.func1|github.com/fleetdm/fleet/v4/server/service.authenticatedOrbitHost.func1> (endpoint_middleware.go:132)",
        "<http://github.com/fleetdm/fleet/v4/server/service.logged.func1|github.com/fleetdm/fleet/v4/server/service.logged.func1> (endpoint_middleware.go:225)",
        "<http://github.com/fleetdm/fleet/v4/server/service/middleware/authzcheck.(*Middleware).AuthzCheck.func1.1|github.com/fleetdm/fleet/v4/server/service/middleware/authzcheck.(*Middleware).AuthzCheck.func1.1> (authzcheck.go:31)",
        "<http://github.com/go-kit/kit/transport/http.Server.ServeHTTP|github.com/go-kit/kit/transport/http.Server.ServeHTTP> (server.go:121)",
        "<http://github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerRequestSize.func2|github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerRequestSize.func2> (instrument_server.go:245)",
        "net/http.HandlerFunc.ServeHTTP (server.go:2109)",
        "<http://github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerResponseSize.func1|github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerResponseSize.func1> (instrument_server.go:284)",
        "net/http.HandlerFunc.ServeHTTP (server.go:2109)",
        "<http://github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerCounter.func1|github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerCounter.func1> (instrument_server.go:142)",
        "net/http.HandlerFunc.ServeHTTP (server.go:2109)"
      ]
    }
  ]
}

Any other ideas or advice would be appreciated. Let me know if there's any additional information I can provide.

🏗️ New commits pushed to Fleet »

have a question about the self-remediation feature of fleet desktop - my device is failing a policy but i dont see any notification or info about it in "My Device" - is this a Fleet Premium only feature or something?

Is there a flag for

fleet prepare db

to upgrade the database non-interactively? Currently it pauses and wants an interactive

[Enter]

to proceed

is fleet supporting write the result of live query to some where else?

👋 is there a way to backup or manage query schedules via fleetctl ?

hello; is there a way of doing regular expression matching when doing a query? (LIKE "%foo%" matching is too greedy for me 🙂)

i thought perhaps REGEXP_LIKE might be supported, but it doesn't seem to be.

OR it could just be that i am not writing my query correctly, which is probably very much the case.

Hi fleet team, i found the API /api/_version_/fleet/activities, and if i append a SQL in OrderKey and pass in. will it cause sql injection issue? I c the implementation of appendListOptionsWithCursorToSQL method and it doesn't handle that.

🏗️ New commits pushed to Fleet »

👋 quick question - can you please help with a composite query that shows the following

os info
system info
osq version (agent) info

had a quick look at the os_version, system_info and osquery_info and not quite clear how we’d join them (by udid or serial ?) in particular for the osinfo one

Hey @Kathy Satterlee this is the error on my windows host of fleet desktop which is showing offline even when fleet service is running on it.

2023-02-21T18:42:39+05:30 INF Shutdown was requested!
2023-02-21T18:42:39+05:30 INF exit
2023-02-21T18:43:48+05:30 INF fleet-desktop version=1.3.1
2023-02-21T18:43:48+05:30 INF Comm channel was acquired
2023-02-21T18:43:48+05:30 INF ready
2023-02-21T18:43:48+05:30 DBG successfully refetched the token from disk
2023-02-21T18:43:49+05:30 INF Shutdown was requested!
2023-02-21T18:43:49+05:30 ERR get device URL error="GET /api/latest/fleet/device/************/desktop received status 429 limit exceeded, retry after: 0s: limit exceeded, retry after: 0s"
2023-02-21T18:43:49+05:30 INF exit\

Hello everyone, is the Employee/device mapping only for Fleet Premium and Ultimate or also for Fleet Community? And is the mapping the "used by" field in Fleet?

In the context of IPs, I would assume

Public

means publicly-routable? This seems to be a bug then? v4.27.1

Hello everyone, in the Fleet Desktop Demo a tab "Policies" was presented but when having a look at my local fleet instance i can't find this tab. There is just a "Details" and "Software" tab, how can the "Policies" tab be activated?

Hello! for the query parameters for listing software https://fleetdm.com/docs/using-fleet/rest-api#parameters77, are the only searchable fields the ones listed in the docs? or can you query based on source tables like programs or apps?

Just a thing I ran in to regarding: https://fleetdm.com/docs/deploying/faq#what-api-endpoints-should-i-expose-to-the-public-internet It doesn't mention

/api/osquery/log

which is where the scheduled queries/packs etc return to by default. Not sure why its not

/api/v1/osquery/log

or something