I would love to second @sanjaykcse’s question - I believe the issue is around getting the feature sponsored, is that correct @zwass ?

Yeah, You have:

"3600": SELECT...

https://osquery.readthedocs.io/en/stable/deployment/configuration/ documents

"interval": {
      "3600": [
        "SELECT total_seconds AS uptime FROM uptime;"
      ]
    }

Hi! I have a question. I'm building Kolide fleet with topology belows Im using HAproxy + kolidefleet. On kolide fleet I setup with no tls (--server_tls=false). And on Haproxy I use Let's encrypt cert for domain of Lets encrypt and use this cert for client authorize. But when client connect with fleet via domain or IP of haproxy, I recived thi log 2608 tls_enroll.cpp:76] Failed enrollment request to https://domain.fleet/api/v1/osquery/enroll (Request error: certificate verify failed) retrying... Anyone can resolve it ?

Does anyone know if there is a way to implement an approval process for ad-hoc queries?

Does a Fleet user API token ever get rotated by Fleet itself?

Sorry if this has been asked before but is there documentation support for querying custom tables in osquery using fleet? I can query it using osqueryi but fleet fails to produce results.

More of an out of curiosity question has anyone deployed

filebeat

as a

daemonset

on k8s to read the

osquery

log files from

fleet

, I have asked Elastic for some guidance and I think I am hitting a filebeat bug but was curious if any one has had any success.

I've set

KOLIDE_SERVER_TLS

to

true

and I get

{ "terminated": "tls: failed to find any PEM data in key input", "ts": "2020-08-31T14:07:27.746925412Z" }

However, if it's set to false, the logs show that

transport

is

http

, but communication between hosts and fleet are still good. I've confirmed the key data is good, what am I missing?

Hello there. I am trying to combine the grpc functionality with osqueryd without using the launcher. This issue pointed me towards building the grpc.ext separately. My question is, if I load this extension into my osqueryd, where do I put the kolide fleet server details (hostname/port no.)?

👋 I'm seeing some behavior with kolide fleet on ECS. I'm running a task definition that is supposed to start up kolide fleet with

fleet serve

. After

fleet serve

is running, nothing from stdout is getting logged. Is this expected, if so is there a way around this?

when running

--tls_dump

I see what appears to be html in the output, is that expected?

This might be a weird q, but is there a way to prevent UI edits in Fleet? Ideally I’d like to enforce that all changes to queries/packs are made only via automation (or by specific user tokens if such an ACL exists), so changes can be driven by fleetctl or terraform.

Is RBAC on the roadmap for development at all?

Is there a way to add new decorators within the Kolide UI? Are those supposed to be labels?

Hi Team, Is there any Kolide app in Kibana (ELK) for better centralised query and response management via kibana?

Has anyone found a good way to build Launcher .pkgs for macOS on a non-macOS system? Or is that still always done on macOS?

Is there a way to see if configs are being pushed down to a host w/o fleetctl?

Is there a way to get decorators with

fleetctl

? somehow I'm getting this error from a host

W0908 15:45:25.950857 20167 decorators.cpp:217] Invalid decorator interval rate 3600 configuration in config source: tls_plugin

Hi， How does fleet server issue rules to osquery nodes？

question: when a host is "online", is that just basic TLS comm?

Is there a way to make the tiles/list of hosts in kolide customizable?

Kolide Experts, i’ve been facing an issue with fleet mysql the performance is so bad even after increasing the server specs to 64GB Ram and 12 CPU. still facing the same issue where fleet is not able to search for a host/label to run a query against and eventually the process on the db server get killed after eating all the resources. number of hosts joined to fleet are 11K host. and here are some of the queries i was able to get from a DBA.

INSERT INTO hosts (
                        detail_update_time,
                        osquery_host_id,
                        seen_time,
                        node_key
                ) VALUES ('1970-01-02 00:00:00', 'web01', '2020-09-02 13:50:33.053319', 'REDACTEDREDACTED')
                ON DUPLICATE KEY UPDATE
                        node_key = VALUES(node_key),
                        deleted = FALSE;

SELECT DISTINCT dqc.id, q.query
                FROM distributed_query_campaigns dqc
                JOIN distributed_query_campaign_targets dqct
                    ON (dqc.id = dqct.distributed_query_campaign_id)
                LEFT JOIN label_query_executions lqe
                    ON (dqct.type = 0 AND dqct.target_id = lqe.label_id AND lqe.matches)
                LEFT JOIN hosts h
                    ON ((dqct.type = 0 AND lqe.host_id = h.id) OR (dqct.type = 1 AND dqct.target_id = h.id))
                LEFT JOIN distributed_query_executions dqe
                    ON (h.id = dqe.host_id AND dqc.id = dqe.distributed_query_campaign_id)
                JOIN queries q
                    ON (dqc.query_id = q.id)
                WHERE dqe.status IS NULL AND dqc.status = 1 AND h.id = 4862
                        AND NOT q.deleted
                        AND NOT dqc.deleted

SELECT DISTINCT *  
FROM hosts  
WHERE ( id IN  
   (  
   SELECT id  
   FROM hosts  
   WHERE MATCH ( host_name , uuid ) AGAINST ( ? IN BOOLEAN MODE )  
   )  
OR id IN  
   (  
   SELECT host_id  
   FROM network_interfaces  
   WHERE MATCH ( ip_address ) AGAINST ( ? IN BOOLEAN MODE )  
   ) )  
AND NOT deleted LIMIT ?

would you please also share some insights when every query of these is executed by fleet? https://github.com/kolide/fleet/issues/2293

hello I don't know how Fleet distributes the pack in the Web UI to osquery nodes I also did not see the documentation on the official website. I have now set Pack on fleet Web UI, but osquery cannot receive it

Is there a different way I can approach troubleshooting this?

Hello! Thank you for continuing to support and develop Kolide Fleet! I have two problems, the cause of which I cannot understand yet. I would be grateful for your help with their solution. 1. This includes the first 3 screenshots. I try to add a specific user to the targets for a pack, but after allowing editing, I don’t see this user in the settings of a specific pack, it shows empty string. However, the general list of packs shows that the pack is installed for the user. Based on the results of my test, I see that the pack is still being applied and requests are being executed, however, this creates inconveniences during testing and debugging. What do you think is the reason for this behavior? 2. Our Fleet is configured to receive the results of queries on a schedule in the result.log file (rotation is enabled). However, today, when other queries were enabled, I noticed that they began to write to files with result-datetime.log formats, although we did not specify such settings. At the same time, while the previously included pack continued to write to the result.log file. What do you think is the reason for this behavior? This behavior was not observed before the upgrade to version 3.1.0.

👋 When I'm trying to do a DB migration I'm getting

20200405120000_UpdateLabelStorage.go (create label_membership table: Error 1050: Table 'label_membership' already exists), quitting migration.

someone use gitlab CI/CD with fleetctl for deploying packs?

Hello! Why do I generate osquery logs directly in Fleet's /var/log/kolide, instead of osquery logs generated on its own server Where is this configured?

👋 Would anyone have some recommendations on where to look further on this?

2020-09-15T19:30:47.771465407Z {"component":"service","err":"failed to ingest result: campaign waiting for listener","ip_addr":"x","level":"debug","method":"SubmitDistributedQueryResults","took":"8.342794ms","ts":"2020-09-15T19:30:47.771281978Z","x_for_ip_addr":"x"}

I've already got kolide in debug mode but i'm not seeing anything aside from the failure

Good day, I would like to make data transfer from kolide fleet to Kafka broker by using Kolide API token. But i have no idea how to make it. any suggestions. Thank you.