Hi, differential scheduled queries at first run will send all rows as “added”, is there a way to avoid this? thanks!

Hi, i have a question related to fleet enrolment, when a new cert is generated, deployed to fleet and pushed the the agent, osquery was not able to access fleet, but when the cert was downloaded from fleet it worked, so why the cert changed? shouldn’t it be the same cert fleet and osquery using ?

I'm seeing the following errors in my logs

"err":"retrieve live queries: receive sql: redigo: nil returned"

. They appear to be caused either be running a query live via

fleetctl

or ending one of those queries early. However, the errors keep popping up in the logs long after any queries are being run. They seem to spike up in regular 5 minute intervals, which is my

logger_tls_period

. Is there something I can do to fix these?

can anyone confirm which api endpoint is used when osquery responds to a distributed query from Fleet? I know distributed queries aren't logged, so I'm thinking that it won't be the log endpoint. Maybe /distributed/write or /distributed/read? distributed/write seems most appropriate

Quick question for ya'll I recently changed my

url_prefix

value and now agents are not enrolling. Here is what I modified: 1. kolide.yml adding

url_prefix

. Set it to

/fleet

. Not Trailing / 2. Changed

osquery.flags

from the agents to prepend

/fleet

on everything (/fleet/api...) 3. Changed all

fleetctl

references with

/fleet

in the front.

fleetctl config --url_prefix /fleet

...... What I'm I missing? Agents are not registering. =/ I am use

osqueryctl

on MacOS

Anyone written grok parsing(Logstash) for osquery. I tried using filebeat osquery module not working.

Hey everyone. I'm noticing that Fleet isn't reflecting updates to client versions. I've updated 4 clients from 4.5.1 to 4.7.0 but Fleet still shows them at 4.5.1. Even more interesting, if I run

select * from osquery_info;

from Fleet as a distributed query, the results show 4.5.1, but when I run it on the servers themselves via osqueryi, I see 4.7.0. Is there a trick to get Fleet to update?

Got a quick feature suggestion for the results table of a query - when filtering in each column, it would be super handy if a count could be shown of the number of results matching the filter. For example where it says something long the lines of “376 out of 500 online hosts responding” for the query, and then you filter one of the columns, it would be good to see how many are in the filter subset. Does that make sense?

Hi, guys. As we continue with the load tests we're running in our labs, we are still banging our heads against similar problems: in our setup, with a single 2-core, vanilla Fleet 3.10 fronted by a load balancer and with separate SQL and REDIS servers, we are able to reach between 2,000 and 4,000 hosts depending on the config. All hosts are docker-simulated. Apparently, everything runs fine for some time and even the main stats of the Fleet server look great (<5% CPU consumption, etc.), but, at some point in time, the CPU sky-rockets to 100%, the number of database connections increases too and eventually the whole system goes down.

Hey there, is there a way to know which hosts a query has failed on? 🤔

Hey folks. Is there a chart that talks resources to provide fleet server versus how many agents are reporting back?

I'm using Python to call Fleet's WebSocket API and I'm having the following error. Does anyone have a similar problem?

Hi folks have you tried to use like case insensitive before in fleet queries.

PRAGMA case_sensitive_like=true;

i found that osqueryi is able to run the queries fine, but when i set the query in fleet osquery agents throws this error

osqueryd[14484]: E0419 07:48:08.537770 14488 registry_factory.cpp:178] sql registry sql plugin caused exception: map::at:  key not found

Hi Fleet. Question on MIA hosts. Will they eventually be removed from Fleet even if host expiry isn't turned on, or do I have to actually turn it on?

This message was deleted.

Fleet fam, do we have dark mode? 😅 Saw something about "dark mode compatible logos" but didn't see anything in the docs.

Hi all, is there a way to set up more than 1 certificate to the FleetDM server? Due to the recent discovery of performance issues with RSA 4096key i want to switch a whole deployment to a new certificate with ECDSA in the most seamless way possible. I do not know if this is possible at all, the only way i could think of is to bundle the certificates in the same file and change

--tls_server_certs

flag in the osquery side and once all the agents are using the new file, then change the certificate in the FleetDM side. I wonder if there is a better way to handle a certificate change?

Hi, I am trying to persist osquery 

results

 and 

logs

. I am trying to use 

filebeat

 to forward the logs to a 

graylog

 server. I set up the 

sidecar

 and

filebeat

on my fleetserver and as per the official documentation but I can't see any logs coming in. Has anyone come across any  guide or how-to doc that I can refer? (edited)

is there a way to tell it to dump old records?

Hi, guys. In the seek of your help again: is there any way we can instruct the agents from Fleet to purge the RocksDB contents? Following with our tests we see a number of agents that have become unstable and we suspect it might be related to their internal database. Is there any way we could handle this cleanup centrally? Any advise or similar experiences?

Hi, i tried to build osquery .msi-installer with "orbit" and encountered the following error:

[13:25 Uhr] heat.exe : error HEAT0001 : Access to the path 'Z:\wix\root\bin\orbit\windows\stable' is denied.

Does someone know how to change the WIX build path?

Hi, I encountered the following issue: If a large query cant be processed in time the agent resources are not cleaned up properly and no further queries are processed. The issues can also be replicated by using the "stop"-btn on the fleet-query-ui. I would be very glad about any suggestions.

Hey, I'm pretty new to Fleet and tinkering with how we should setup our server & enrollment. Ideally I would like to distinguish 4 types of devices (2 different data centers, employees, students). I'm wondering of I can somehow handle this via different enroll secrets and labels. Can I retrieve the name of the enroll secret with a query?

GitHub issues start at #0? TIL

is it bad practice to run hourly snapshot queries across 50k different devices? Or should we limit snapshot queries to daily interval and only have differential queries be hourly?

Hello all - I’m currently working on onboarding the data below into Splunk from Fleet but wasn’t sure about the

s

field values (0,1,2) stand for. I believe it stands for

severity

but wasn’t sure on what the 0/1/2 stands for (INFO,WARNING,FATAL?). Was curious if anyone knows what they stand for. Oh - does anyone know what the

i

field stand for too? Thanks!

{
  "s": 0,
  "f": "interface.cpp",
  "i": 110,
  "m": "Registering extension (kolide, 16829, version=, sdk=)",
  "h": "hash_here",
  "c": "Fri Mar 19 21:03:27 2021 UTC",
  "u": 1616187807
}

Hi, i am workingon an docker-compose file to super fast put fleet as a docker on my hosts:

version: '3.7'

services:

fleet:

image: fleetdm/fleet:latest

container_name: fleet

depends_on:

- db

- redis

secrets:

- db-password

- server-certificate

- server-key

- jwt-key

environment:

FLEET_MYSQL_ADDRESS: localhost:3306

FLEET_MYSQL_DATABASE: kolide

FLEET_MYSQL_USERNAME: fleet

FLEET_MYSQL_PASSWORD: 1234

FLEET_REDIS_ADDRESS: localhost:6379

FLEET_SERVER_CERT: /run/secrets/server-certificate

FLEET_SERVER_KEY: /run/secrets/server-key

FLEET_AUTH_JWT_KEY: /run/secrets/db-password

restart: always

networks:

- my_network

ports:

- "1337:1337"

command: [ "fleet", "prepare", "db"]

entrypoint:

- /usr/bin/fleet

- serve

db:

image: mysql:5.7

container_name: db

secrets:

- db-password

restart: always

volumes:

- ./db:/var/lib/mysql

environment:

MYSQL_DATABASE: kolide

MYSQL_ROOT_PASSWORD_FILE: /run/secrets/db-password

MYSQL_USER: fleet

MYSQL_PASSWORD: 1234

networks:

- my_network

ports:

- "3306:3306"

redis:

image: redis:latest

container_name: redis

restart: always

networks:

- my_network

ports:

- "6379:6379"

secrets:

db-password:

file: ./password.txt

server-certificate:

file: ./server.cert

server-key:

file: ./server.key

jwt-key:

file: ./jwt.key

networks:

my_network:

driver: bridge

but the fleet docker will not connect to the mysql instance:

fleet | mysql="could not connect to db: dial tcp 127.0.0.1:3306: connect: connection refused"

I also tried it with

mysql:8.0

but the error stays the same. I would be very thankfull for any ideas!

Hello Fleety friends! We've just released Fleet 3.11.0 on GitHub and Docker Hub. This release includes a new software inventory feature, quick access to saved queries on the host details page, and a significant improvement to steady-state mysql performance. Check out the full release notes at https://github.com/fleetdm/fleet/releases/tag/3.11.0. Please note software inventory is flagged off by default as we are not yet confident in its performance characteristics on larger Fleet deployments. See https://github.com/fleetdm/fleet/blob/master/docs/2-Deployment/2-Configuration.md#software-inventory for information on enabling it. We would hugely appreciate anyone who can provide before/after MySQL performance stats when flipping this flag on a larger (5k+ hosts) deployment. <!here>

While we have your attention, a quick poll: Do you appreciate seeing GitHub PR status in the channel here? Please vote via emoji reaction... ✅ - Please continue with this setting as currently 🎯 - Please use a daily digest of GitHub commits 💀 - You're killing me with all this spam. Please turn off GitHub activity.

Upgraded to 3.11 with feature flag. Looking good for Ubuntu packages. It's cool to see this feature live now. I'm still at the beginning of the Fleet rollout, but I know that most Linux users in my company are using Arch Linux (including me). The osquery package that is available in the default Arch Linux repo contains a patch to also report packages installed on Arch as proposed in https://github.com/osquery/osquery/issues/6477 - what would be the best way to get Arch software reporting in fleet as well? PR to adjust the query or would you prefer to get this in a official osquery release 1st?