Hi Folks. I am running into the strangest issue with Fleet. My distributed queries sometimes execute and sometimes do not. I am monitoring logs both on the Fleet server and the osquery node. I see in the Fleet server that a NewDistributedQueryCampaign is scheduled successfully. On the osquery node, I am monitoring with

--verbose

and

--tls_dump

to see all data. I see that the osquery node is polling the read endpoint (

api/v1/osquery/distributed/read

) with the correct node key. It usually just gets back an empty

queries:

response. Sometimes, however, it gets the proper query and runs it! It seems to run it about 10% of the time. Also notable is that creating packs/scheduling queries works 100% of the time. My Fleet server is deployed behind an HAProxy LB. The LB uses its own certificates (signed, wildcard), and my Fleet server uses self-signed certs. The osquery node is using the public key

pem

file for the LB cert, and it enrolls properly. Anyone have any ideas?

Hey, hi! I’m new here, so I’m studying Kolide Fleet now. I would like to understand is it possible to add 2FA to authorization in Fleet Web GUI and is there any way to separate the GUI port and the port for receiving the results of osquery requests to reduce security risks? Maybe you can give me some usefull links

Do Osquery windows installation documentation & enrollment works for windows server as well ?

Seems to relate to this: https://github.com/kolide/fleet/issues/2227

my osquery agent from linux is working fine with kolide however when trying to integrate with Windows osquery with kolide then getting the following err http: TLS handshake error from 10.10.10.1:66566 local error: tls: bad record MAC can someone help please

What version of

fleet

are you using (

fleet version --full

)? fleet - version 2.6.0 What operating system are you using? Ubuntu 16.04 What did you do? Connecting osqeuryd with fleet, both fleet and osquery are on same machine followed this guide https://github.com/kolide/fleet/blob/master/docs/infrastructure/README.md sudo /usr/bin/osqueryd --enroll_secret_path=/var/osquery/enroll_secret --tls_server_certs=/var/osquery/server.pem (this file is downloaded from web page of fleet) --tls_hostname=192.168.1.195:8080 --host_identifier=hostname --enroll_tls_endpoint=/api/v1/osquery/enroll --config_plugin=tls --config_tls_endpoint=/api/v1/osquery/config --config_refresh=10 --disable_distributed=false --distributed_plugin=tls --distributed_interval=3 --distributed_tls_max_attempts=3 --distributed_tls_read_endpoint=/api/v1/osquery/distributed/read --distributed_tls_write_endpoint=/api/v1/osquery/distributed/write --logger_plugin=tls --logger_tls_endpoint=/api/v1/osquery/log --logger_tls_period=10

do we have a place to check if there is an update for launcher/osquery upcoming via TUF default mirror/default notary? i know osquery released an update recently but I’m wondering what the flow into the kolide update channel is

Hi Folks. I'm trying to get to the bottom of the websocket issue I'm having with accessing Fleet via a HAProxy load balancer. When I run a live query, I am seeing that the websocket connection gets established, but just hangs after that. I see the first two messages are properly sent over the websocket (these messages are the

conn.WriteJSON

messages here in the code). After that, however, I see the websocket stays open but only

h

is received every 25 seconds. Please see my attached image. I know that I should see the

total

,

status

, and

result

be received by this websocket when it is operating properly. I have a screenshot attached of this proper operation as well: I can get it to work when I am not using the Load Balancer. My question is -- how can I debug this scenario? Is it hanging inside this goroutine for loop? I am not very familiar with golang so I am having trouble putting in print statements (tried putting in

fmt.PrintLn

statements, but they never showed up in the server logs). PS - Seeing as it works without HAProxy but does not work with HAProxy, I suspected it was a timeout issue. I set tunnel timeout settings on my HAProxy, but that did not help either. It seems the websocket connection is established, but the result data does not come through.

hi all! has anyone experimented with using Redis Clustering for Fleet? is it capable? has it been necessary at all?

Hey Guys, Is there a sizing doc for Kollide fleet?

Hi Everyone, We are planning to deploy Osquery on linux clients in our environment. We use splunk too. Can someone let me know what advantages we have in Kolide over splunk to use it for managing configurations?

is there a way to get launcher to load an osquery extension?

Hi Folks. I see osquery hosts go offline randomly in my Fleet UI. Is there a well known reason for this? Looks like some of my osquery agents just lose connectivity, at a rate of about 1% of hosts per day

Hi Folks. I want to remove a user account from my Fleet server. Can I just delete this user's row from the database?

is there a way to skip this DROP with prepare db? 2020/05/11 100700 FAIL 20191010155147_UpdateTableHostsSearchIndex.go (drop old index: Error 1091: Can't DROP 'hosts_search'; check that column/key exists), quitting migration.

Hello! I have a general sizing question regarding Kolide Fleet: what is the approximate maximum number of osquery clients that can connect to a single Kolide Fleet instance? Also, what sort of system requirements are recommended for a server running Kolide Fleet together with Redis and MySQL (CPU, memory, storage, etc.). I have been finding it difficult to locate any online documentation regarding such requirements. Thanks!

Is fleetctl able to delete hosts?

Many of my machines running osquery frequently are deleted for capacity/other reasons. These subsequently show up as "offline". I would like the automate the procedure of removing them from Fleet

👋 how do i load a custom extension with launcher? can't seem to find that info in the docs..

Hello, there is a way to add a windows host at kolide fleet?

How should I go about figuring out why this is? Is there any docs or posts that would explain to me why it’s not doing it?

How are people handling short lived certs and fleet (such as ACM or letsencrypt)?

Hi Folks. Is it possible to have Labels dynamically generated based off of queries? Currently, it seems that you need to create a Label, and then any host that returns anything from the query will be added to the Label. What I want is to have Labels be generated based on the results of a query. If the query returns 'A' on one host, than that host will be added to a Label titled 'A'. If the query returns 'B' on another host, then that host is added to Label 'B'.

Hey people! I'm trying to add a windows host at my kolide fleet, I'm seeing "Request error: certificate verify failed". Any idea about how to fix?

I already tried all the proposed solutions here https://github.com/kolide/fleet/blob/master/docs/infrastructure/faq.md

I’m running into an issue with Kolide Fleet, where our scheduled queries on Macs aren’t populating the result.log file on the Kolide Fleet server. We can see that scheduled queries are executing on the hosts, and they are receiving their confs from Fleet. Might be a big ask for some troubleshooting assistance, but kind of stuck on what’s going on here

Piggybacking on the discussion of the results.log file for scheduled queries -- does the Fleet app manage rotation for this file? Otherwise it will fill up relatively quickly in our deployment (10s of thousands of osquery agents)

is there a way to get the osquery flags with fleetctl ?

how to delete all MIA hosts ?

is there a good way to exclude a label from a query like if i have a label for Windows Servers but want exclude a label with only DCs