me again with some smtp issue i can't seem to figure out, i'm getting

sending mail: startTLS error: x509: certificate has expired or is not yet valid

when trying to set my smtp settings, but when checking the cert manually with

openssl

i get valid dates (july 7th 2020 - july 7th 2022)? has anyone else seen this?

👋 How are folks managing Fleet's DB? Does anyone prune the DB, particularly if the "MIA" nodes grows to a particular size?

hola again 🙂 anyone know why SSO would fail and return this in the logs?

validation failed: session missing for request

? i'm using Okta for this, seemed to have worked just fine in a dev instance i had set up

In

file-format.md

docs:

# "additional" information to collect from hosts along with the host
    # details. This information will be updated at the same time as other host
    # details and is returned by the API when host objects are returned. Users
    # must take care to keep the data returned by these queries small in
    # order to mitigate potential performance impacts on the Fleet server.
    additional_queries:
      time: select * from time
      macs: select mac from interface_details

1. What is meant by "small" here? 2. How frequently do these queries get run by the hosts? Is there a way to specify intervals / reduce the intervals? <thread>

Will a new Fleet version be released this month? 🔮 Debating moving our container around

Hi everyone - I’m trying to debug why a query pack isn’t being scheduled on some hosts in Fleet. We have 1021 hosts online, I’ve scheduled a query pack with one query in it to run on all of them once per day. I’m only seeing 823 hosts returning results in

/tmp/osquery_result

. I tried running the same query on-demand against some of the missing hosts and they worked fine, but if I run

SELECT * FROM osquery_schedule

they return successfully, but with no records. Does anyone have any suggestions? Thanks 🙂

Hi All, I'm trying to get SAML SSO configured for Fleet & ADFS and once configured I'm getting an http 405 response from the fleet server when sending the SAMLResponse, does anyone have this successfully configured?

Hi All, I’m working on setting up an endpoint scanning solution and I’d like to hear your opinions on Kolide vs OSQuery. I’m aware many parts of Kolide are free and open source, such as Kolide Fleet, but I’m particularly wondering what kinds of advantages are seen from the paid OSQuery replacement, Kolide. Thanks!

Curious - is anyone piping osquery logs to bigquery? How do you deal with schemas if so? This seems to be the big advantage of logging to ELK, but I’m curious if someone is using Google Bigquery

👋 Trying to debug an issue and I'm curious if anyone else has encountered it here — we have a group of linux endpoints that were enrolled in Fleet previously but are no longer visible in the UI or reachable via fleetcl . My theory is that this may be related to the "automatic host expiry" option enabled but the "last seen time" for one of the hosts is yesterday; our expiry window much larger than 24 hrs 😛 . How does Kolide determine "last seen time"?

We're putting our fleet instance behind haproxy so we can expose

/api/

to the internet and keep

/admin

behind VPN. Our network team wants to make the routing easier for them by having two different subdomains: fleet.acme.com and fleet-admin.acme.com Will having fleet-admin as the

kolide_server_url

breaking querying or anything?

Hi there! Is there a way to distribute different osquery configurations for my hosts by Kolide? I know that I can distribute different configs for different operating systems (one for Linux, other one for Windows, and also for OSX) but can i do the same for hosts with the same operating system (let’s say one config for some Linux hosts, another one for other Linux hosts etc)?

I'm not able to connect with fleet server due to

Failed enrollment request to <https://something.com/api/v1/osquery/enroll> (Request error: certificate verify failed) retrying

. I'm following FAQs to make sure I don't miss anything. Here is what i get when I curl the enroll endpoint.

❯ curl -v -X POST <https://something.com:443/api/v1/osquery/enroll>
*   Trying 13.234.113.134...
* TCP_NODELAY set
* Connected to <http://osquery.lalaland.com|osquery.lalaland.com> (13.234.113.134) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: self signed certificate
* Closing connection 0
curl: (60) SSL certificate problem: self signed certificate
More details here: <https://curl.haxx.se/docs/sslcerts.html>

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Hi! Is there any way to set RBAC-like settings in Kolide Fleet? Let’s say, user A can run ad-hoc queries but has no permissions to create/modify packs and so on?

I'm getting an error message while trying to apply changes to my osquery options: `ERROR 1812 (HY000): Tablespace is missing for tabble `osquery_options`` Already tried shutting down the service and running

fleet prepare db

Any suggestions?

👋 @zwass - very excited, saw your perf PR got merged yesterday 👌 🎉 Will this be in a release soon?

hey there, me again 🙂 in order to use the pubsub plugin, can i just confirm for the credentials it looks for the

GOOGLE_APPLICATION_CREDENTIALS

env var?

Hello! I see that the v3.0.0 is released on GitHub, are-you also planning on uploading the image on DockerHub? Thanks!

I’m curious what you find. AFAIK the “correct” ways are: * to run an app that reads it from a user context, getting a pop up (hard to fix in this flow, also no app) * install a profile The incorrect way is to mode the TCC database as Zoom did/does

fleet 3.0.0 DB deadlock when migrating <thread>

Many of you are already aware about the recent macos screenlock table addition which @terracatta wrote for osquery, I wrote up a blog post about how we did it, and also how you can query it remotely using kolide launcher! https://blog.kolide.com/checking-macos-screenlock-remotely-62ab056274f0

or do I have to write some db script to do so?

Is fleet able to use a shared redis cluster? The connection string I've been given looks like

hostname:6379/17

(It's database 17 on that redis cluster.) But, when I put that in the

KOLIDE_REDIS_ADDRESS

entry I see `Warning! Live query disabled due to error: reading from redis: dial tcp: address tcp/6379/17: unknown port`when I go to run a live query.

Hello, I wonder if Fleet has any mechanism to allow granular permissions to accounts, so only selected accounts may run queries/packs on specific hosts

Hello, My server frequently closes connections when I'm trying to access the API:

could not list packs: GET /api/v1/kolide/spec/packs: GET https://<server>:443/api/v1/kolide/spec/packs: read tcp <host>:<port>-><server>:443: read: connection reset by peer

Any ideas on where that could be coming from?

🌊 I’m excited about the Fleet 3.0 release but I’m trying to think about where the data in

network_interfaces

might be used that I’m not thinking of before upgrading. I’ve seen it when a host first enrolls with Fleet but otherwise we’re not intentionally using that elsewhere. How were folks using that data prior to the new release?

Hi, is there any way to rotate my Fleet API key? I don't see an option for that in my settings

Hey folks, already sent out a DM but curious if anyone else knows: I have an Auto-scaling group in AWS running kolide fleet, which pulls down latest version of kolide on instance launch (instead of pinning a certain version like I probably should have). Seems like latest update is stopping hosts from enrolling due to what appears to be DB migration problems. Question, is it safe to simply run the fleet prepare db command or do I need to be concerned with data loss?

Is there a way to configure kolide fleet hosts dashboard w/ additional decorators?

if I am deploying kolide, can I terminate TLS with an ALB, or does kolide need to be able to access the certs where it's running?