osquery #kolide

stefanmaerz

04/10/2019, 5:21 PM

MSI package for fleet? If so this is the right place

harveywells

04/16/2019, 4:31 PM

👋 Hello! If I wanted to specify an event expiry for enrolled Kolide Fleet clients, that would be specified in

options

correct?

mbuono

04/17/2019, 6:37 PM

is there a place to tell kolide to write to the osquery.results.log file with one result per line?

harveywells

04/17/2019, 8:06 PM

Hiya! I’m testing Trail of Bits Google 🎅🏻 extension: https://github.com/osql/extensions/tree/master/santa. I’m trying to write a simple query that just pulls the results of the santa_denied table that the extension adds (

select * from santa_denied

). Is there a way to add a query pack locally to a client even though it receives packs and configs via Kolide?

asla

04/18/2019, 12:28 PM

Hello. In my local setup I have nginx proxy (which terminates TLS) before Kolide Fleet and use Kolide launchers. After reading the docs and messages here on slack, I am still not sure where grpc is used. Could someone please clarify which endpoints use grpc? What about the https:// front-end dashboard? Thanks. My current nginx config (where 127.0.0.1:8080 is the fleet server with

KOLIDE_SERVER_TLS=false

)

Copy code

location /api/v1/osquery/ {
        grpc_pass  <grpc://127.0.0.1:8080;>    
        grpc_set_header Host $host;
        grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    location /api/v1/kolide/ {
        grpc_pass  <grpc://127.0.0.1:8080;>   
        grpc_set_header Host $host;
        grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    location / {
        proxy_pass  <http://127.0.0.1:8080;>    
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_buffering off;
    }

groob

04/18/2019, 1:23 PM

Nginx does not support grpc

groob

04/18/2019, 1:46 PM

perhaps you can provide some details of why your tunnel connection direct to fleet is failing

austinylin

04/20/2019, 2:43 AM

fairly sure I'm doing something stupid, but have fleet setup and a client enrolled, but distributed queries don't seem to be working. Fleet shows the client as enrolled and I see results going into /tmp/osquery_results from the host. When I run a dist query, the host receives it, executes it, and says it's posting it back to the server but nothing happens in the results window.

Copy code

I0419 19:39:36.237423 71012352 distributed.cpp:119] Executing distributed query: kolide_distributed_query_1: SELECT * FROM users;
I0419 19:39:36.286029 71012352 distributed.cpp:119] Executing distributed query: kolide_distributed_query_2: SELECT * FROM users;
I0419 19:39:36.328785 71012352 distributed.cpp:119] Executing distributed query: kolide_distributed_query_3: SELECT * FROM osquery_info
I0419 19:39:36.334825 71012352 distributed.cpp:119] Executing distributed query: kolide_distributed_query_4: SELECT * FROM osquery_info;
I0419 19:39:36.336787 71012352 distributed.cpp:119] Executing distributed query: kolide_distributed_query_5: SELECT * FROM osquery_info;
I0419 19:39:36.346189 71012352 tls.cpp:240] TLS/HTTPS POST request to URI: <https://fleet.redacted/api/v1/osquery/distributed/write>
I0419 19:39:43.415841 68354048 tls.cpp:240] TLS/HTTPS POST request to URI: <https://fleet.redacted/api/v1/osquery/log>
I0419 19:39:53.478049 71012352 tls.cpp:240] TLS/HTTPS POST request to URI: <https://fleet.redacted/api/v1/osquery/distributed/write>
I0419 19:39:53.492719 68354048 tls.cpp:240] TLS/HTTPS POST request to URI: <https://fleet.redacted/api/v1/osquery/log>
I0419 19:40:03.635547 68354048 tls.cpp:240] TLS/HTTPS POST request to URI: <https://fleet.redacted/api/v1/osquery/log>
I0419 19:40:13.613971 71012352 tls.cpp:240] TLS/HTTPS POST request to URI: <https://fleet.redacted/api/v1/osquery/distributed/write>
I0419 19:40:13.692886 68354048 tls.cpp:240] TLS/HTTPS POST request to URI: <https://fleet.redacted/api/v1/osquery/log>
I0419 19:40:23.818622 68354048 tls.cpp:240] TLS/HTTPS POST request to URI: <https://fleet.redacted/api/v1/osquery/log>
I0419 19:40:33.946880 68354048 tls.cpp:240] TLS/HTTPS POST request to URI: <https://fleet.redacted/api/v1/osquery/log>
I0419 19:40:39.743857 71012352 tls.cpp:240] TLS/HTTPS POST request to URI: <https://fleet.redacted/api/v1/osquery/distributed/read>
I0419 19:40:40.005892 71012352 distributed.cpp:119] Executing distributed query: kolide_distributed_query_1: SELECT * FROM users;
I0419 19:40:40.051160 71012352 distributed.cpp:119] Executing distributed query: kolide_distributed_query_2: SELECT * FROM users;
I0419 19:40:40.094993 71012352 distributed.cpp:119] Executing distributed query: kolide_distributed_query_3: SELECT * FROM osquery_info
I0419 19:40:40.096632 71012352 distributed.cpp:119] Executing distributed query: kolide_distributed_query_4: SELECT * FROM osquery_info;
I0419 19:40:40.097954 71012352 distributed.cpp:119] Executing distributed query: kolide_distributed_query_5: SELECT * FROM osquery_info;
I0419 19:40:40.104478 71012352 tls.cpp:240] TLS/HTTPS POST request to URI: <https://fleet.redacted/api/v1/osquery/distributed/write>

Dave Greene

04/22/2019, 9:45 PM

Did anyone ever make any progress on that protobuf-to-json-over-http stuff that was in flight a while ago?

groob

04/25/2019, 7:36 PM

my recommendation is for you to get your logs into something that you can then build an API on top of (or use an existing one)

zwass

04/25/2019, 7:38 PM

Or maybe all you need to do is shell out to

fleetctl query

zwass

04/25/2019, 9:10 PM

Hi <!here> - Announcing the release of Fleet 2.1.1 https://github.com/kolide/fleet/releases/tag/2.1.1 and Docker images available at

kolide/fleet:2.1.1

This release is mostly a collection of bugfixes, but we did not make much of a public announcement for 2.1.0 which added AWS Firehose logging support among other things.

👍 3

🎉 12

mind blown 2

🍻 5

doteater

04/25/2019, 9:59 PM

Is it possible to use the Polylogyx windows extension with fleet/launcher? Or extensions in general? Seems like I'd need to build launcher packages containing the extension/config to start - Would anything need to be done on the server end?

groob

04/29/2019, 3:12 PM

also true ^. is your 1 query returning 10MB of data?

defensivedepth

04/30/2019, 4:38 PM

hey all - I am working on a grafana dashboard for fleet infrastructure, and plan on sharing it once complete. I am interested in hearing what are some key metrics you think should be tracked from a health & performance perspective?

seph

05/01/2019, 2:38 AM

There are some docs up about how to debug at https://github.com/kolide/launcher/blob/ecc76ec6d4baa8e52ae3437589983c48e67f960c/docs/launcher-debugging.md

narsarius

05/03/2019, 6:30 PM

Thanks - I can see the websocket connection in developer tools, not sure where it is getting the parameters to build the request after the initial run though. 1) a run is issued, /api/v1/kolide/queries/run 2) then a /api/v1/kolide/results/info?t={{numeric value}} 3) completes with a /api/v1/kolide/results/{{numeric value}}/{{alpha numeric value}}/websocket The values used in the 2nd and 3rd request are not present in the response of the first request

n8felton

05/04/2019, 1:46 AM

natepalm

cwhits

05/04/2019, 2:23 AM

Copy code

osquery> SELECT hostname AS hostname FROM system_info;
+---------------+
| hostname      |
+---------------+
| ??.<http://ad.rit.edu|ad.rit.edu> |
+---------------+

Keine-Ahnung

05/06/2019, 8:17 PM

Hi, is there a possibility in the kolide webinterface to group the hosts into special groups ? I do not want to group them by os, but into special groups like networks or special usage? Best

groob

05/07/2019, 5:21 PM

idk that many folks here are familiar with filebeat. Maybe google can help?

doteater

05/08/2019, 5:40 PM

Hey folks - I'd like to use an extension (polylogyx) with Launcher but I can't figure out how. Is it possible to include the additional binary in the launcher package? Or do folks currently just use puppet/etc to install extensions?

James Carr

05/10/2019, 3:57 PM

so I tested File Integrity Monitoring out and uh... any good way to consolidate it a bit?

grant seltzer

05/10/2019, 4:04 PM

Hi all, I can't get passed an issue i'm having trying to connect osqueryd to my fleet server. The osqueryd instance is on my laptop and the fleet server is in aws.

Copy code

I0510 11:58:58.693961 3031053184 tls.cpp:240] TLS/HTTPS POST request to URI: <https://foobar.com/api/v1/osquery/config>
{"node_key":""}
<html><body><h1>503 Service Unavailable</h1>
No server is available to handle this request.
</body></html>

seph

05/12/2019, 11:16 AM

how did you install launcher? how did you build it? (i can dig more monday, but the "cant open" looks suspicious

Guy

05/13/2019, 2:38 PM

-.sh

Tim

05/13/2019, 3:57 PM

Quick question, is the numerical ID hosts are identified with in Kolide (the one needed to be sent to the API to do a delete command) supposed to increment by 1 when new hosts are added?

defensivedepth

05/13/2019, 4:30 PM

hey Kolide team - thanks so much for your continued support of tools like Launcher! It would be really useful if there was some type of a status page that noted what versions of Launcher + Osquery the Kolide

beta

stable

channels are currently pulling down.

grant seltzer

05/14/2019, 4:47 PM

Is there any known incompatibility with connecting osqueryd to fleet through a proxy server?

doteater

05/14/2019, 8:30 PM

hey folks - I'm running a distributed query against the yara table. If I use a simple yara rule file it works fine, but when I try a large rules file it always returns 0 results (but doesn't "fail"). I tried running the same query with osqueryi and it works as expected. Is there an issue dealing with large yara sig files via distributed? Seems weird. query is like this: SELECT * FROM yara WHERE path="/root/test" AND sigfile="/root/rules/good.yar";