FleetDM 3.8.0 When running a live query, I expand the Live Query results section and it doesnt auto-expand to fill the entire screen like it used to. Is this to be expected?

I am new to kolide fleet and I am trying to import osquery conf files(packs) in fleet. I couldn't see any option in UI. Can anyone give me some pointers if I can import conf files directly instead of creating packs manually via fleet UI.

The current API docs say to use: https://github.com/fleetdm/fleet/blob/master/docs/1-Using-Fleet/3-REST-API.md#example-with-one-host-targeted-by-id But

/spec/

is not currently used in the Fleet API - is this future or just an oversight in the docs?

Fleet YAML questions <thread>

Label / Additional host query question <thread>

I’m trying to set up FIM and I’m wondering what are the different ways it can be scoped to hosts? In my current config I have it scoped to 

platforms: darwin

 and this works, like so:

overrides:
    platforms:
      darwin:
        exclude_paths:
          downloads:
            - /Users/%/Downloads/ignore/%%
        file_paths:
          downloads:
            - /Users/%/Downloads/%%

However I want to have another set of paths targeting CentOS. The centos platform definition doesn’t seem to work for whatever reason. Can you scope FIM any other way, such as by label?

Hello <!here>, we've just dropped Fleet 3.9.0 on GitHub and Docker. This release was mostly focused on stability -- We addressed some longstanding bugs that were uncovered when we added the host details page and also improved the options for managing duplicate host enrollments. If you've been having trouble with duplicate host identifiers and/or enrollment cooldown, please have a look at the changelog and give 3.9.0 a go! https://github.com/fleetdm/fleet/releases/tag/3.9.0

#417 - make host identifier configurable within Fleet <thread>

#418 Make enrollment cooldown configurable <thread>

@zwass I was just about to update my prod from 3.7 to 3.8 - should I hold off and go from 3.7 to 3.9 that was just released, or should I go to 3.8 in the interim?

I am running into an issue and I am not sure where to start looking and in which log files. I have a query that runs fine on individual machines and ran fine across almost 1500 machines last night, but is getting a few hosts in (12, 21, and 5) and then the query hangs and you get nothing. We have let it run for 15+ minutes, where last night it finished in about 7 total with the last 3 or 4 minutes results dribbling in. My gut says something is hanging, and I am not sure if it is on the fleet server, or one of the clients causing issues.

Hello, has anyone encountered a situation where the client is often offline

I just tried to launch the latest OSQuery in box and it never generated fleet.crt / fleet.key , and I can't seem to get OSQuery to accept a self signed cert on fleet (this is for testing) , any ideas?

Hi everyone. What is the supported way to control config locally but still register / send results to Fleet? Does this require shifting to the filesystem config_plugin and controlling all packs locally as well, or is there a way to still control packs and queries at Fleet, but the other config locally? More details below. We are testing how how we can set all osquery config at our clients and not have any centrally set at Fleet. For our test we removed these 3 lines from our osquery.flags file:

--config_plugin=tls

--config_tls_endpoint=/api/v1/osquery/config

--config_refresh=3600

We still have the following in osquery.flags

--enroll_secret_path=REDACTED

--tls_hostname=REDACTED

--host_identifier=uuid

--enroll_tls_endpoint=/api/v1/osquery/enroll

--disable_distributed=false

--distributed_plugin=tls

--distributed_interval=60

--distributed_tls_max_attempts=3

--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read

--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write

--logger_plugin=tls

--logger_tls_endpoint=/api/v1/osquery/log

--logger_tls_period=10

-–watchdog_memory_limit=500

I'm seeing some strange stuff in this test environment. The hosts will register to fleet, but if you refresh fleet UI, every 10 - 15 seconds or so the hosts will flap between offline and online. Additionally, we aren't logging ANY query results at fleet for these nodes even though we have a few simple ones scheduled. When I run osquery in debug on these nodes, I see the registration, but no decorators, options, packs or queries. I tried adding back in config_plugin=tls and then started to get a bunch of errors about enrolling too often.

We're running into a weird behavior after upgrading to 3.5 to 3.8 related to the s/kolide/fleet/ in distributed query names. We have

distributed_tls_max_attempts

set to 3, but osquery clients continue to send old distributed query results which results in repeated 500s with Fleet logging error messages indicating the hosts are still using old query names. Some example error logs:

failed to ingest result: unknown query prefix: kolide_detail_query_osquery_flags
 failed to ingest result: unknown query prefix: kolide_label_query_9
 failed to ingest result: unknown query prefix: kolide_detail_query_uptime

As far as I can tell after looking at how Fleet generates host detail queries, this might just be an issue with OSQuery not honoring the max attempts setting? Anyone else run into this, or know for a fact that the max attempts setting actually works?

I see on the fleet website a feature that you have in the future is "Software inventory". I am wondering if there is anything I could do to help with that?

We’re currently running fleet behind a load balancer that handles https and fleet itself listens on http on the back end. I notice I can’t seem to use fleetctl pointing to localhost because it demands an https connection. Is there currently a flag to override that? I don’t see one.

I am running into an issue and now sure where to start looking. My fleet server, which is running on an EC2 keeps dying frequently. It normally comes up (not always) after a couple of restart but dies at a later point. Sometimes the webpage give 502 even when the service status is up and running.

Hi Fleet folks, was wondering if anyone had any examples of config that allowed your osquery client to communicate with the Fleetdm service via a proxy?

Is there a PowerShell module for working with the FleetDM API?

Hiii, I am struggling add host, Getting error TLS/HTTPS POST request to URI: https://xxxxx:8412/api/v1/osquery/enroll Failed enrollment request to https://xxxxx:8412/api/v1/osquery/enroll (Request error: certificate verify failed) retrying... flagfile.txt

# Server
--tls_hostname=xxxxx:8412
--tls_server_certs=/home/dell/fleet.pem

# Enrollment
--host_identifier=instance
--enroll_secret_path=/home/dell/secret.txt
--enroll_tls_endpoint=/api/v1/osquery/enroll

# Configuration
--config_plugin=tls
--config_tls_endpoint=/api/v1/osquery/config
--config_refresh=10

# Live query
--disable_distributed=false
--distributed_plugin=tls
--distributed_interval=10
--distributed_tls_max_attempts=3
--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read
--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write

# Logging
--logger_plugin=tls
--logger_tls_endpoint=/api/v1/osquery/log
--logger_tls_period=10

# File carving
--disable_carver=false
--carver_start_endpoint=/api/v1/osquery/carve/begin
--carver_continue_endpoint=/api/v1/osquery/carve/block
--carver_block_size=2000000

secret.txt and fleet.pem are at home directory. please help me to resolve this issue. Thank you

hi. Does this mean that fleet was upgraded without first running prepare db?

"version": "3.9.0-dirty",

Hi Fleet. Looking to set logger_tls_compress=true on our osquery clients, but the docs say that logger endpoint must support GZIP for content encoding. Can anyone tell me if Fleet and if so, does and if that requires anything to be set at Fleet?

Hi guys, my agents seem to not trust the server's certificate (

Failed enrollment to https://<address>/api/v1/osquery/enroll (Request error: certificate verify failed)

), even though it is signed by our organization's CA. When I access the web UI through Chrome, for example, it says "secure", which means the certificate is OK. Any ideas?

Hello! Could you tell me please, is it possible to log the actual time of arrival of the event from the osquery client (not the query time) in Fleet status and result logs? We analyze different cases of receiving events for VPN users, it would be very useful for further debugging. If there is no such functionality, can I put a ticket to the github for its implementation?

I just played around with orbit briefly - seems nice! Very similar to launcher. Is this a fork of launcher, or a ground-up new thing? Also curious if there's a rough ETA on the Windows version/packaging....

New release of Security Onion today (2.3.40) completes our move from Kolide Fleet to FleetDM. Looking forward to continue working with @zwass and the rest of the FleetDM team! https://twitter.com/securityonion/status/1374082181304291332

What are people using the lambda logging output for? I played around with osquery -> kinesis -> s3 -> lambda last year and suppose going straight to lambda would be cleaner, but I never found a good use case of lambda with our setup.

Would adding the ability to sent logs from fleet to Kafka be an idea that could be considered?

Has anyone come across the fact that Queries tab is getting empty after refresh? We are using recent Fleet 3.9.0 and added Packs and queries via ‘fleetctl apply’ command and it finished successfully, we see all queries in the database, but we don’t see them via UI. Strange thing that all packs are visible and if we get to query via Packs UI - it shows in the Queries tab, but after refresh it is empty again (see screenshots attached)