Hello, may I ask whether Kolide Fleet can make clusters?Do you have any relevant information in this field?

Why am I able to query on the server but not on Fleet?What could be the problem?

Hello, how can I change UTC time to local time in the log I generate?

Hello, i've added three hosts into my fleet (2 Windows, 1 Ubuntu) and they are not being auto added un the label "MS Windows" and "Ubuntu Linux". What im doing wrong?

hi, is it possible to create user accounts in fleet without sending an email invite first?

Hello to all! Can you please tell me if we can get some advice on a suitable server configuration for Kolide Fleet. We are planning to order equipment (dedicated hardware), but did not find anywhere an obvious correlation from the number of users. We plan to deploy a Kolide Fleet to collect data separately from users and separately from servers. We think about 5-7 thousand users and, conditionally, 5 thousand servers (Kubernetes, virtualization, etc.) Tell me please, what are the optimal resources for such load volumes?

Hi. We've rolled out a POC for Fleet and osquery and I'm trying to understand the offline timeout for our clients as they seem to be dropping offline very quickly. I was given this code as the Offline (MIA) duration, which would seem to be a decently long amount of time - https://github.com/kolide/fleet/blob/7494513400b1d15d3e770358350d227ffbe2e4ce/server/kolide/hosts.go#L33. Is there a list of client events that would trigger an online status? I'm assuming config_regfresh or a check in to look for new distributed queries, distributed_interval, and probably several other client actions should be flagging them as valid.

I'm trying to upgrade from 2.6.0 to 3.1.0 and I'm getting authentication errors for http and service components. Has anyone else come across this when upgrading from v2 to v3? If i roll back to version 2.6.0 everything works fine. Also the below error.

{
  "component": "http",
  "err": "authentication error: missing node key",
  "ts": "2020-09-23T15:18:39.879218643Z"
}

Another noob question here. Anyone know where Fleet logs are written by default?

Hi. Something weird is going on. On my fleet, the hosts IPv4 and MAC info on every host are not being show, they dissapear and appear at random moments

Looking at the fleet code it looks like the

Invite

struct explicitly marks the token json as un-exportable with

-

. As far as I can tell that means the only way to get the token right now is via the rendered invite email. We were interested in writing some automation that handles user invitation/setup and wondered if there was another way to get the invite token out.

Hi everyone! I have a question about a recent setup that i just put to work. I'm managing 2 Windows hosts through another machine where i'm running Fleet. I just enrolled them with Launcher and i don't how can i use the polylogyx extension, in order to allow my Fleet instance to gather the information that this extension provides. I'm sorry if i'm too noob for asking this, i want to improve hahaha. Any help?

this is by no means an official answer, but I’ve been running fleet locally with a mysql 8 database for probably over a year now with no issues

Can I export all the hosts added on Fleet?

How can i build a package with kolide launcher with extensions?

We are configuring the fleet server to run behind NGINX. Osquery on clients seems to run properly and not getting any errors, but our NGINX is giving 499 errors for requests to /api/v1/osquery/distributed/read. So the error in the log looks like

10.100.29.126 - - [25/Sep/2020:22:34:00 +0000] "POST /api/v1/osquery/distributed/read HTTP/1.1" 499 0 "-" "osquery/4.4.0" "-" "127.0.0.1:8080" "TLSv1.2/ECDHE-RSA-AES128-GCM-SHA256" "-" 15.555 15.683 -

  At the same time, the request to distributed/read from the client looks like

I0925 15:41:36.760367 119746560 tls.cpp:253] TLS/HTTPS POST request to URI: <https://fleet.domain.net:443/api/v1/osquery/distributed/read>

{"node_key":"HN32A+71pXAVPF57U63QIANo45P2J5I+"}

And osquery_status.log on fleet server shows this

{"hostIdentifier":"7AD00D8C-E849-5DE8-B20A-BD35D6F6137E","calendarTime":"Fri Sep 25 22:41:36 2020 UTC","unixTime":"1601073696","severity":"0","filename":"tls.cpp","line":"253","message":"TLS/HTTPS POST request to URI: <https://fleet.domain.net:443/api/v1/osquery/distributed/read>","version":"4.4.0","decorations":{"host_uuid":"7AD00D8C-E849-5DE8-B20A-BD35D6F6137E","hostname":"<http://c02w40vchv2r.domain.com|c02w40vchv2r.domain.com>"}}

Anyone know why this is happening? thank you! Steve K.

Quick, simple question (I hope): Fleet considers "Hosts that have not checked-in to kolide recently" to be "Offline". How long ago is "recently" in this context? (Side question: How and where would I have found this information myself? Google and GitHub were not forthcoming this morning. Do I just need more caffeine?)

Hi all, was wondering if anyone has any info related to the following errors in fleet.

level=info ts=2020-09-29T05:17:51.328659802Z component=service method=EnrollAgent ip_addr=10.124.237.153:34884 x_for_ip_addr= err="save enroll failed: inserting: Error 1205: Lock wait timeout exceeded; try restarting transaction" took=5m23.090762881s
level=info ts=2020-09-29T05:17:51.46834596Z component=service method=EnrollAgent ip_addr=10.124.237.148:38000 x_for_ip_addr= err="save enroll failed: inserting: Error 1205: Lock wait timeout exceeded; try restarting transaction" took=2m49.583970117s

Seems to increase as time goes on and then cascades into fleet becoming completely unresponsive. Is this a database problem or a database settings issue? It's rather out of the blue that this happen twice in the past two days.

Which SQL permissions does kolide need?

Any best practices to getting the fleet logs into a file for logging? I'm running fleet in a docker container and i can view the logs with the docker log -f command. How can they be ported to a file on the local host? I tried starting the container with log-dirver: "syslog" but nothing. Is it a formatting issue?

Hi all, I was wondering why the centos osquery package download return 404 error (sudo rpm -ivh https://osquery-packages.s3.amazonaws.com/centos7/noarch/osquery-s3-centos7-repo-1-0.0.noarch.rpm)

How do we get live query results via web apis ?

Can anyone provide some assistance or guidance on MYSQL deadlock/locks. We have 60 fleet host connecting to a MYSQL percona cluster of 4 hosts. For the past two days we've been getting deadlocks/lock on MYSQL that seem to increase overtime and cause the ALL the fleet hosts to eventually exhaust memory causing a denial of service. Fleet becomes unresponsive and subsequently host fail to report in. We are running fleet version 3.0.0-3-g0619581b. Our DBA folks seem to think it's an application issue with fleet hitting the hosts table.

DBA team response: 
Essentially this is not db server tuning issue, but an app tuning issue. I understand this needs to be related to the vendor, however as you can see from the Humio links inserts & updates are clashing on the 'hosts' table. The correct approach is to minimize these deadlock situations arising in the first place. The engine will detect and roll back 1 transaction - eg in detail:

------------------------
LATEST DETECTED DEADLOCK
------------------------
2020-09-30 09:46:45 0x7de11cce9700
*** (1) TRANSACTION:
TRANSACTION 35762332832, ACTIVE 0 sec starting index read
mysql tables in use 1, locked 1
LOCK WAIT 3 lock struct(s), heap size 1136, 2 row lock(s)
MySQL thread id 1157846, OS thread handle 139400941860608, query id 14939859382 <http://prod-10-32-7-83.pw1.bcc.somehost.com|prod-10-32-7-83.pw1.bcc.somehost.com> 10.32.7.83 tlsproddb_user updating
UPDATE hosts SET
			seen_time = '2020-09-30 13:46:45.647691'
		WHERE node_key='6u8qphrXq6FhlWXYZfYWHT2xwBHX+SsN'
*** (1) WAITING FOR THIS LOCK TO BE GRANTED:
RECORD LOCKS space id 771 page no 7 n bits 88 index PRIMARY of table `tlsproddb`.`hosts` trx id 35762332832 lock_mode X locks rec but not gap waiting
*** (2) TRANSACTION:
TRANSACTION 35762332830, ACTIVE 0 sec updating or deleting
mysql tables in use 1, locked 1
4 lock struct(s), heap size 1136, 3 row lock(s), undo log entries 1
MySQL thread id 1157730, OS thread handle 138405804414720, query id 14939859380 <http://prod-10-32-1-12.pw1.bcc.somehost.com|prod-10-32-1-12.pw1.bcc.somehost.com> 10.32.1.12 tlsproddb_user update
INSERT INTO hosts (
			detail_update_time,
			label_update_time,
			osquery_host_id,
			seen_time,
			node_key,
			enroll_secret_name
		) VALUES ('1970-01-02 00:00:00', '1970-01-02 00:00:00', 'DB938000-FD74-11E7-8000-000000000000', '2020-09-30 13:46:45.647665', 'WqAC/7dPeDzkh90b5yb4TIIvvJrgd4ut', 'default')
		ON DUPLICATE KEY UPDATE
			node_key = VALUES(node_key),
			deleted = FALSE
*** (2) HOLDS THE LOCK(S):
RECORD LOCKS space id 771 page no 7 n bits 88 index PRIMARY of table `tlsproddb`.`hosts` trx id 35762332830 lock_mode X locks rec but not gap
*** (2) WAITING FOR THIS LOCK TO BE GRANTED:
RECORD LOCKS space id 771 page no 3489 n bits 248 index idx_host_unique_nodekey of table `tlsproddb`.`hosts` trx id 35762332830 lock_mode X locks rec but not gap waiting
*** WE ROLL BACK TRANSACTION (1)

Any help on this matter would be greatly appreciated.

Which options does the --update_channel receive? (kolide launcher)

Hi all, I am facing issues in adding a window host to kolide fleet. I see no errors but the host is not added

Hey folks, We've been starting to use the fleet client

service

library and have put up a PR for a missing

DeleteHost

method on the client struct https://github.com/kolide/fleet/pull/2312

We are getting most of the things sorted, but getting the following error in stderror for fleetd when a query is submitted.

Oct 01 15:38:10 <http://hostname.domain.net|hostname.domain.net> bash[8725]: {"component":"http","err":"read auth token: reading from websocket: sockjs: session not in open state","msg":"failed to read auth token","ts":"2020-10-01T15:38:10.35797483Z"}

I am also not getting anything in the results logs. Is there something in need to look at to figure this out? We are making a connection through NGINX. Nginx config is simple, no grpc pass

location / {

proxy_pass            <http://127.0.0.1:8080>;

proxy_read_timeout    900;

proxy_connect_timeout 90;

proxy_redirect        <http://127.0.0.1:8080>

<https://nginxserver.domain.net>;

proxy_set_header      Host $host;

proxy_set_header      X-Real-IP $remote_addr;

proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header      X-Forwarded-Proto $scheme;

proxy_set_header      Proxy "";

}

Hello, I am having an issue with a Docker Traefik > Fleet grpc issue. I am sure it probably a configuration error, but when trying to register an agent using Kolide launcher, I get an error in the launcher logs that the wrong content-type was received from the server (HTML). Traefik is configured to use HTTP2 and the standard HTTPS traffic is passing correctly. Can someone point me in the right direction please?

Hello! I am trying to setup SSO for Kolide using Google, when I try to login I dont see errors on the console but get redirected to the login page again. Does SSO needs SMTP activated to create users with SSO? Might this be the issue? I added a user specifying the Google email and checked SSO on the create user screen.

Hi Community, I have a kolide server and a single osquery host. (both on separate machines). Osqueryd is run with root on the host. host has many other users("user1", "user2"} which perform some actions on the machine. osquery provides a decorator to "SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;" but this one only shows root users in the osquery_result I would like to know whether its possible to create a decorator where each query is listed with the respective user who performed the action. for eg: if "user1" executes "nmap google.com" and "user2" executes "nmap facebook.com" osquery should produce a result with respective user labelled. expected result: {"cmdline:/usr/bin/nmap", "user":user1} {"cmdline:/usr/bin/nmap", "user":user2} I know that some tables like "process_events" have uid to show this parameter. But I am looking for some other generic solution. Any help is appreciated. Thanks in advance.