https://github.com/osquery/osquery logo
Powered by
#kolide
  • s

    sundsta

    03/26/2020, 5:57 PM
    Very cool! Being able to run arbitrary WMI queries is super useful.
  • n

    nyanshak

    03/26/2020, 4:34 PM
    You can manually set the enroll secret, in the admin UI or by connecting to the DB:
    Copy code
    USE kolide;
UPDATE app_configs SET osquery_enroll_secret='<secret>';
    s
    z
    • 3
    • 2
  • t

    terracatta

    03/27/2020, 12:34 PM
    1
    j
    • 2
    • 1
  • j

    jby

    03/27/2020, 7:49 PM
    So, now it’s running - what now? Do I have to invent the wheel myself or are there a repository of useful queries somewhere?
    e
    • 2
    • 1
  • e

    Erich Stoekl

    03/27/2020, 10:09 PM
    Hi Folks -- I'm wondering where the results of the ad-hoc queries from fleet end up. For example, I have fleet machines A and B in a cluster, and 100 osquery agents are connected to this cluster. Osquery agents are configured to use the load balancer endpoint which the fleet machines sit behind. I'll assume 50% of the agents will be connected to A, and 50% connected to B. Do both fleet boxes A and B have the same logs of data from the queries run against the osquery agents? Or would each machine have a different set of logs?
    👀 1
    🍿 1
    j
    z
    • 3
    • 7
  • s

    SK

    03/28/2020, 2:22 PM
    Hey guys, quick q, it seems we have some issues with websockets, if websockets is not enabled on the proxy or LB, would that also influence enrollment of OSQuery hosts? Or only live queries?
    d
    • 2
    • 4
  • s

    Seán O'Halloran

    03/30/2020, 9:35 PM
    Do ATC tables work in Fleet? Running
    Copy code
    select value from osquery_flags where name='config_path'
    gives
    Copy code
    /var/osquery/custom_tables.json
    Which I’ve attached. This works when run locally with osqueryi, but does not work when run via the Fleet interface:
    Copy code
    select * from quarantine_items LIMIT 1;
    Is there something I’m missing?
    custom_tables.json
    z
    • 2
    • 2
  • e

    Erich Stoekl

    03/31/2020, 6:03 PM
    Does anyone know of the capacity requirements of the Mysql DB? Particularly when we get to the 10s of thousands of osquery agents connected to the fleet cluster. How many reads/writes per second will the Mysql db need to perform?
    s
    n
    z
    • 4
    • 16
  • d

    DG

    03/31/2020, 8:32 PM
    Newbie here, Can someone direct me on how to tune (limit growth or to set quicker rotation to files or what is a reasonable size? I have 202 clients, and generate 4 GB of logs a day between /var/log/daemon.log and /tmp/osquery_status
    s
    • 2
    • 19
  • m

    Matthew Barrington

    04/01/2020, 12:24 PM
    👋 Is there anyway to get Kolide to make use of an Aurora read replica? Or read replicas in general? If not are there any plans to add support for this
    z
    • 2
    • 3
  • t

    terracatta

    04/01/2020, 9:37 PM
    Dude, this is user browser history... I'm sorry i'm just not morally ok with helping you achieve that goal. What is your end goal? Perhaps there is a better way than enumerating websites people have visited in their browser.
    k
    • 2
    • 8
  • s

    SK

    04/02/2020, 6:15 PM
    Hey guys, is there a way to set a proxy that fleetctl can use to connect to my fleet instance, if running remote?
    z
    • 2
    • 5
  • l

    Lawrence D'Anna

    04/02/2020, 6:56 PM
    is there a way to give ATC a path to the sqlite database that depends on the OS of the node?
    z
    • 2
    • 1
  • l

    Lawrence D'Anna

    04/02/2020, 10:13 PM
    Copy code
    :\Program Files\osquery>launcher.exe --hostname="<http://osquery-dev-fleet.com:8080|osquery-dev-fleet.com:8080>" --root_directory="C:\ProgramData\osquery" --enroll_secret=foobarbaz --insecure
{"caller":"main.go:26","msg":"Launcher starting up","revision":"6ff84fba146ed3d2070faa30bd4947b2e16d7072","severity":"info","ts":"2020-04-02T22:07:25.2657548Z","version":"0.11.9"}
{"caller":"main.go:57","msg":"Nothing new","severity":"info","ts":"2020-04-02T22:07:25.266744Z"}
{"caller":"client_grpc.go:111","cert_pinning":false,"msg":"dialing grpc server","server":"<http://osquery-dev-fleet.com:8080|osquery-dev-fleet.com:8080>","severity":"info","tls_secure":false,"transport_secure":true,"ts":"2020-04-02T22:07:25.2707474Z"}
{"build":"6ff84fba146ed3d2070faa30bd4947b2e16d7072","caller":"launcher.go:158","msg":"started kolide launcher","severity":"info","ts":"2020-04-02T22:07:25.2848206Z","version":"0.11.9"}
{"caller":"query_target_updater.go:21","msg":"query target updater started","severity":"info","ts":"2020-04-02T22:07:25.2848206Z"}
{"arg0":"osqueryd.exe","args":"osqueryd.exe --pidfile=C:\\ProgramData\\osquery\\osquery.pid --database_path=C:\\ProgramData\\osquery\\osquery.db --extensions_socket=\\\\.\\pipe\\kolide.em --extensions_autoload=C:\\ProgramData\\osquery\\osquery.autoload --extensions_timeout=10 --config_plugin=kolide_grpc --logger_plugin=kolide_grpc --distributed_plugin=kolide_grpc --disable_distributed=false --distributed_interval=5 --pack_delimiter=: --host_identifier=uuid --force=true --disable_watchdog --utc --config_refresh=300 --config_accelerated_refresh=30 --allow_unsafe","caller":"runtime.go:546","msg":"launching osqueryd","severity":"info","ts":"2020-04-02T22:07:25.2867445Z"}
{"caller":"init.cpp:509","component":"osquery","level":"stderr","msg":"E0402 15:07:25.349478 12040 init.cpp:509] Cannot activate kolide_grpc config plugin: Unknown registry plugin: kolide_grpc","severity":"info","ts":"2020-04-02T22:07:25.364451Z"}
{"caller":"init.cpp:596","component":"osquery","level":"stderr","msg":"W0402 15:07:25.364450 12040 init.cpp:596] Error reading config: Missing config plugin","severity":"info","ts":"2020-04-02T22:07:25.364451Z"}
{"caller":"init.cpp:509","component":"osquery","level":"stderr","msg":"E0402 15:07:25.364450 12040 init.cpp:509] Cannot activate kolide_grpc logger plugin: Unknown registry plugin: kolide_grpc\r\nE0402 15:07:25.364450 12040 init.cpp:509] Cannot activate kolide_grpc distributed plugin: Unknown registry plugin: kolide_grpc\r\nI0402 15:07:25.364450 12040 events.cpp:863] Event publisher not enabled: ntfs_event_publisher: NTFS event publisher disabled via configuration","severity":"info","ts":"2020-04-02T22:07:25.3684534Z"}
{"caller":"","component":"osquery","level":"stderr","msg":"T","severity":"info","ts":"2020-04-02T22:07:25.3714472Z"}
{"caller":"","component":"osquery","level":"stderr","msg":"hrift: Thu Apr  2 15:07:25 2020 TPipeServer ConnectNamedPipe GLE=errno = 995","severity":"info","ts":"2020-04-02T22:07:25.3714472Z"}
{"caller":"runtime.go:585","err":"exit status 78","mode":"-rw-rw-rw-","msg":"Error running osquery command","path":"osqueryd.exe","severity":"info","sha256":"4dbf2babae608e4eea7d6cc97dbf2affa7ba3f83626b58c7f0937790737a99b7","sizeBytes":11177984,"ts":"2020-04-02T22:07:25.8488886Z"}
{"caller":"launcher.go:125","err":"launching osquery instance: starting instance: could not create extension manager server at \\\\.\\pipe\\kolide.em: dialing pipe '\\\\.\\pipe\\kolide.em': open \\\\.\\pipe\\kolide.em: The system cannot find the file specified.","msg":"interrupted","severity":"info","ts":"2020-04-02T22:07:35.2926968Z"}
{"caller":"query_target_updater.go:26","msg":"query target updater interrupted","severity":"info","ts":"2020-04-02T22:07:35.2926968Z"}
{"caller":"launcher.go:121","msg":"beginnning shutdown via signal","severity":"info","ts":"2020-04-02T22:07:35.2926968Z"}
{"caller":"extension.go:135","err":"launching osquery instance: starting instance: could not create extension manager server at \\\\.\\pipe\\kolide.em: dialing pipe '\\\\.\\pipe\\kolide.em': open \\\\.\\pipe\\kolide.em: The system cannot find the file specified.","msg":"extension interrupted","severity":"info","ts":"2020-04-02T22:07:35.2966917Z"}
{"caller":"extension.go:140","err":"while shutting down instance: running osqueryd command: exit status 78","msg":"error shutting down runtime","severity":"info","ts":"2020-04-02T22:07:35.2986922Z"}
{"caller":"logutil.go:13","run service: launching osquery instance: starting instance: could not create extension manager server at \\\\.\\pipe\\kolide.em: dialing pipe '\\\\.\\pipe\\kolide.em': open \\\\.\\pipe\\kolide.em: The system cannot find the file specified.":"run launcher","severity":"info","ts":"2020-04-02T22:07:35.300691Z"}
    z
    s
    • 3
    • 52
  • j

    john

    04/03/2020, 9:15 PM
    does launcher + TUF also install additional extensions? or only osqueryd updates
    s
    • 2
    • 1
  • b

    Bennett Hitchcox-lain

    04/03/2020, 11:58 PM
    good day, sorry to bother at this late hour. but i was wondering where i could find any docs there are about kolide and Authorization
    s
    • 2
    • 11
  • d

    defensivedepth

    04/06/2020, 1:24 PM
    s
    • 2
    • 3
  • p

    poisonous97

    04/07/2020, 8:49 AM
    hello every, i am using kolide fleet to manage the osquery agents. I want to deloy multi-sites fleet but only using a dashboard. How to deloy it? Same is:
    d
    s
    • 3
    • 4
  • c

    crimsonknave

    04/07/2020, 6:49 PM
    👋 I'm looking for help enrolling osquery agents into fleet via TLS client certificates. I filed https://github.com/kolide/fleet/issues/2208 a few weeks ago as directed in https://github.com/kolide/fleet/blob/master/docs/infrastructure/adding-hosts-to-fleet.md, but haven't heard anything.
    d
    z
    d
    • 4
    • 14
  • e

    Erich Stoekl

    04/07/2020, 10:19 PM
    Hmm looks like I need to GRANT myself additional permissions... sorry for the noise
    1
    d
    • 2
    • 4
  • e

    Erich Stoekl

    04/07/2020, 10:55 PM
    Any other GRANTs needed besides this one? I need to request this permission from our DB team
    z
    • 2
    • 1
  • s

    stefanmaerz

    04/08/2020, 2:32 PM
    Reading through docs trying to figure this out: Does fleetctl have language bindings? Or would I need to shell out if I wanted to use fleetctl from a python script? Or would it just be easier to hit the Fleet API directly?
    s
    z
    +2
    • 5
    • 10
  • e

    Erich Stoekl

    04/08/2020, 6:30 PM
    Hi Folks. When deploying Fleet behind a load balancer, does each Fleet server need to use its own CRT and KEY files? I'm thinking the TLS Termination will be done at the load balancer, then just forward unencrypted traffic to the Fleet server
    s
    s
    z
    • 4
    • 15
  • e

    Erich Stoekl

    04/08/2020, 8:11 PM
    Is there a way to manually bypass this screen? I am unable to complete setup (clicking the "Finish" button on the final screen doesn't do anything) Deploying fleet on kubernetes with 
    server_tls=false
    • 1
    • 1
  • e

    Erich Stoekl

    04/08/2020, 8:23 PM
    Interesting...
    Copy code
    mysql> SELECT fim_file_accesses FROM app_configs;
+-------------------+
| fim_file_accesses |
+-------------------+
|                   |
+-------------------+
1 row in set (0.00 sec)
    I wonder if my migration was indeed screwed up somehow
    z
    • 2
    • 1
  • e

    Erich Stoekl

    04/08/2020, 10:14 PM
    Thanks @zwass... figured it out. Apparently I need to create my mysql DB exactly as how it's done in the osquery-in-a-box project. I created with 
    mysqld --datadir=/tmp/data --event-scheduler=ON
    and it now works. Not sure if it's the datadir, or event-scheduler that I needed
    z
    • 2
    • 1
  • e

    Erich Stoekl

    04/09/2020, 8:19 PM
    Does Fleet need to be running with 
    server_tls
    set to 
    true
    in order to allow osquery clients to connect to it?
    s
    z
    • 3
    • 4
  • d

    defensivedepth

    04/09/2020, 9:00 PM
    Is there a way to pass additional flags to osqueryd when using Launcher? Specifically trying to use 
    --windows_event_channels
    which is only usable as a flag. I have tried to just add it to the launcher flag file, but I am not seeing any change.
    s
    • 2
    • 1
  • k

    KryptoNyte

    04/09/2020, 10:52 PM
    Where does the package builder get its binaries? Do I need to provide an own server? What kind of server?
    s
    z
    s
    • 4
    • 21
  • j

    john

    04/10/2020, 3:55 PM
    Does the launcher auto-updater also allow for installing extra extensions when you publish an update?
    s
    • 2
    • 9
1...232425...38Latest