Kyle
06/19/2020, 5:31 AMDaniel Parry
06/19/2020, 1:18 PMseph
cips
06/24/2020, 11:54 AMReece Rodriguez
06/24/2020, 3:07 PMcurl
call or using python requests. What is the header for authentication called? I saw somewhere on github someone used curl -H Authorization: [tokenhere]
but that didn't work for meRyan
06/24/2020, 3:34 PMharveywells
06/24/2020, 4:37 PM.pkg
with a unique secret for group A, one for group B, etc.?terracatta
hilt
06/25/2020, 7:24 AMGiorgi Kacheishvili
06/25/2020, 12:55 PMBryan Brewer
06/25/2020, 5:36 PMlive_query
and run
just hang and eventually result in net::ERR_HTTP2_PROTOCOL_ERROR
• fleetctl just hangs on --query "SELECT * FROM osquery_info"
aswell, even with --timeout set and --debug set, I see nothing.
• as far as I can tell everything else working fine.
fleet is behind a tcp passthrough haproxy.
• also tried accessing via ssh tunnel direct to port 8080, still seeing same problem here too.Steve Hultquist
06/25/2020, 7:15 PMSeán O'Halloran
06/25/2020, 8:56 PMdefault 16:55:42.162116-0400 osqueryd CSSM Exception: -2147413759 CSSMERR_DL_DATABASE_CORRUPT
default 16:55:42.163414-0400 osqueryd dbBlobVersion() failed for a CssmError: -2147413759 CSSMERR_DL_DATABASE_CORRUPT
default 16:55:42.163752-0400 osqueryd CSSM Exception: -2147413759 CSSMERR_DL_DATABASE_CORRUPT
default 16:55:42.165359-0400 osqueryd CSSM Exception: -2147413759 CSSMERR_DL_DATABASE_CORRUPT
default 16:55:42.166820-0400 osqueryd CSSM Exception: -2147413759 CSSMERR_DL_DATABASE_CORRUPT
default 16:55:42.168652-0400 osqueryd CSSM Exception: -2147413737 CSSMERR_DL_DATASTORE_DOESNOT_EXIST
cb3
06/26/2020, 7:39 AMPJ Meyer
06/26/2020, 7:24 PMGavin
06/26/2020, 10:21 PMRyan
06/29/2020, 10:03 AMArtem
06/29/2020, 10:37 AMDaniel Parry
06/29/2020, 11:10 PMharveywells
06/30/2020, 8:03 PMfleetctl
with the --query-name
option but is it possible to pass in an entire query pack to fleetctl
to run multiple distributed queries? I can see this being useful for IR — and you could pipe the results of those queries into custom tooling for further parsing or automation.Bryan Brewer
06/30/2020, 10:52 PMlocalhost
. This is more of an osquery thing than fleet thing but mentioning here because I see some possibly related discussion in history. But I didn't find any resolution in the threads I found.
All this testing/mucking around was done on ubuntu18.04.
We do our localhost line in /etc/hosts file like this 127.0.0.1 localhost <hostname_here>
- pretty standard stuff... But this seems to cause osquery to choose the first entry localhost
in /etc/hosts localhost line as hostname of record.
If I switch /etc/hosts localhost line to 127.0.0.1 <hostname_here> localhost
osquery picks up <hostname_here> as desired, but this is wrong and mucks lot of things that rely on localhost line being valid.
If I remove <hostname_here> from /etc/hosts it appears that osquery concatenates hostname from /etc/hostname and possibly the domain line in /etc/resolv.conf. If I change the domain line in /etc/resolv.conf to something invalid or remove the domain line I get what I expected in fleet. I don't mind the domain being concatenated with the hostname just seems odd. Would like to be able to configure this behavior.Alon Starikov
07/01/2020, 6:06 AMRyan
07/01/2020, 12:57 PMzwass
vaar
07/01/2020, 6:03 PMBeckel
07/07/2020, 2:21 PMdistributed_interval
and logger_tls_period
if our main focus is to only us Fleet as a TLS Aggregrator and not ask questions?PJ Meyer
07/08/2020, 4:15 PMBryan Brewer
07/08/2020, 7:24 PMKyle
07/08/2020, 11:08 PMAhmed
07/09/2020, 12:34 PMschedule
and to use fleet convert utility i have to change my pack to use queries
keyword i guess. is there something i’m missing.
i tried to go through osquery doc and kolide docs and code but couldnot figure that out.
https://github.com/kolide/fleet/blob/1c6ab46e40795f6bb922873ae5098f6054c1f51c/cmd/fleetctl/convert.go