doggles
08/13/2019, 9:11 AMpassword login not allowed for single sign on users
but I cannot currently log in with SSO, as the button does nothing at all when clicked.asparamancer
08/13/2019, 4:25 PMsoumitr
08/13/2019, 5:09 PMasparamancer
08/13/2019, 5:18 PMasparamancer
08/13/2019, 6:54 PM{"caller":"publish_logs.go:157","err":"rpc error: code = Unknown desc = decoding status log: json: cannot unmarshal number into Go struct field StatusLog.s of type string","errcode":"","logType":"status","log_count":245,"message":"","method":"PublishLogs","reauth":false,"severity":"info","took":"8.9738ms","ts":"2019-08-13T18:53:06.1527632Z","uuid":"2cd21994-a8bb-4c5e-843a-95b28407c5b3"}
{"caller":"extension.go:494","err":"sending status logs: writing logs: transport error sending logs: rpc error: code = Unknown desc = decoding status log: json: cannot unmarshal number into Go struct field StatusLog.s of type string","severity":"info","ts":"2019-08-13T18:53:06.1527632Z"}
I assume I've not configured something/misconfigured something but not entirely sure what would be the root cause - anyone seen this before?Jean M
08/14/2019, 10:03 AMAoS
08/14/2019, 2:04 PMfritz
08/14/2019, 2:36 PMDavid M
08/14/2019, 5:14 PMDavid M
08/14/2019, 8:23 PMDavid M
08/16/2019, 12:30 AMseph
rwx
08/16/2019, 12:59 PMOMAR
08/16/2019, 10:06 PMfilesystem:
status_log_file: /var/log/osquery/status.log
result_log_file: /var/log/osquery/result.log
osquery:
status_log_plugin: filesystem
result_log_plugin: filesystem
I did notice that the results are being written to /var/log/syslog
, but the output there is from whatever /usr/bin/fleet
writes to stdout, which isn't in the most optimal form for shipping logs and making them searchable. Is there something I'm missing here?
I found the /var/log/syslog by grepping the entire filesystem for results from a scheduled query. basically grep -cri 'aapocclcgogkmnckokdopfmhonfmgoek' / 2>/dev/null | grep -v :0
to see where this chrome extension shows up, and it's only in the syslog file, not ever /var/log/osquery/*
Gavin
08/19/2019, 9:10 PMfoo.host.domain
where cert is *.host.domain
David M
08/20/2019, 12:15 AMAbraxas
08/20/2019, 4:19 PMSkarl
08/20/2019, 5:59 PMOMAR
08/21/2019, 2:15 PMandybot
08/21/2019, 7:30 PM/hosts/manage
endpoint start to fail (return 0 hosts) when scaling beyond ~8K hosts?Perk
08/22/2019, 2:15 PMterracatta
Notice: that thetime in seconds is how many seconds the daemon itself has been running before the scheduled query will be executed. If the system is suspended or put to sleep the progression of time "freezes" and resumes when the system comes back online. For example a scheduled query with an interval of 84600, or 24 hours, running on a laptop system could take a few days before the query executes if the system is suspended at night.interval
Michael Bailey
08/24/2019, 5:53 AMMattJ
08/28/2019, 3:48 PMDavid M
08/28/2019, 5:58 PMpirxthepilot
08/29/2019, 5:38 PMSteven Swager
08/30/2019, 5:11 PM[Unit]
Description=Kolide Fleet
After=network.target
[Service]
LimitNOFILE=8192
ExecStart=/usr/bin/fleet serve \
--mysql_address=127.0.0.1:3306 \
--mysql_database=xxxxxx \
--mysql_username=xxxxxx\
--mysql_password=xxxxxxxxx \
--redis_address=127.0.0.1:6379 \
--server_cert=/opt/fleet/certificates/server.cert \
--server_key=/opt/fleet/certificates/server.key \
--logging_json=true \
--auth_jwt_key=xxxxxxxxxx \
--filesystem_status_log_file=/var/log/osquery/status.log \
--filesystem_result_log_file=/var/log/osquery/result.log
[Install]
WantedBy=multi-user.target
and
```
apiVersion: v1
kind: options
spec:
config:
decorators:
load:
- SELECT uuid AS host_uuid FROM system_info;
- SELECT hostname AS hostname FROM system_info;
options:
disable_distributed: false
disable_events: false
disable_logging: false
distributed_interval: 10
distributed_plugin: tls
distributed_tls_max_attempts: 3
distributed_tls_read_endpoint: /api/v1/osquery/distributed/read
distributed_tls_write_endpoint: /api/v1/osquery/distributed/write
logger_event_type: true
logger_plugin: tls
logger_tls_endpoint: /api/v1/osquery/log
logger_tls_period: 10
pack_delimiter: /
verbose: true
overrides: {}
```are my configs so far, pretty out of the box at the moment.seph
David M
09/04/2019, 10:19 PMOMAR
09/05/2019, 9:48 PM