How does it not convert

decorators

over to yaml?

How can we change the default location of osquery_result.log file on fleet server. The default location as of now is "/tmp" can we change is it to something else?

Good morning, from this part of world i have a question from this configuration, i would appreciate your help

/ usr / bin / fleet serve \
  --mysql_address = 127.0.0.1: 3306 \
  --mysql_database = kolide \
  --mysql_username = root \
  --mysql_password = toor \
  --redis_address = 127.0.0.1: 6379 \
  --server_cert = / tmp / server.cert \
  --server_key = / tmp / server.key \
  --logging_json

How can i add my configuration to port 443?

This message was deleted.

does anyone know of a way to have the kolide fleet management UI accessible over a different port? We want our nodes to be able to access the server over 443 on public WAN but only have the web UI accessible internally over a different port to 443

Hey folks, how are you generating alerts with your osquery logs? Would it be useful to have this functionality directly in Fleet?

@jby What IT/Security problems are you trying to solve using osquery/kolide?

<!here> Hello friends, I just released Fleet 3.2.0 which has some nice new features along with bug fixes. Take a look at the changelog and download binaries at https://github.com/kolide/fleet/releases/tag/3.2.0. The Docker containers are available as usual on Docker Hub.

Is there any way to make osqueryd automatically read a flagfile upon start? Or, actual example: How do I give the --flagfile option to osqueryd when starting it using the kolide launcher?

Good morning everyone, hope you are enjoying this beautiful Friday! I have a Kolide Fleet stack running on AWS on an ECS. The server is configured to send log results to a Firehose Kinesis. I want to disable the Firehose plugin and drop the Firehose stack (trying to drop any result logging output from the server). I wonder if we drop the Firehose service on AWS, does the Fleet server will store/cache the results if the Firehose does not exists? I don’t want to store neither cache anything, just disable log results publishing from the server. Or maybe, what would be the right flag/plugin to set in order to disable any log being published from the Fleet server?

hey folks — i was looking at the osquery-go repo and found https://github.com/kolide/osquery-go/issues/85, any updates on this? I was looking to implement an osquery->containerd extension and containerd has support for emitting events and would be awesome to integrate that into osquery

Hi Folks,

osqueryd

runs fine on my host. But when i try to launch via

launcher

i'm getting this error:

sudo ./launcher --hostname=fleetserver:443 --root_directory=/var/osquery --enroll_secret=KEY --debug

``````

Quick question, If I have a custom logger plugin set in my flags file, and config plugin set to TLS (pointed at fleet), Do I need to set some other configuration elsewhere to make my osqueryd hosts use the logger plugin? The way I have it, it's not, using a snapshot file (/var/log/osquery/osqueryd.snapshots.log) instead

Hi Folks, I was running my fleet server on EC2 with self signed certificate. Now EC2 instance runs behind a load balancer and uses ACM certificates. My hosts are not able to connect to fleet server now. Do I have to run the fleet server again? With the ACM certificate? But where do i get the key from?

Hi, does anyone know where I can find the specific differences in privileges between users and admins in Fleet? It looks to me like admin gives access to 'Manage Users' and 'App Settings' under Admin. Anything else? We would have love more granular RBAC wrt ad-hoc queries, but I don't think anything like that exists.

Hello. Happy hump day! I am running fleet on Ubuntu 20.04, and have set it up according to: https://github.com/kolide/fleet/blob/master/docs/infrastructure/fleet-on-ubuntu.md On the same local network, I am trying to add a host running MacOS Catalina. OSQuery is confirmed to work locally on the mac via

osqueri

. I can connect to the web interface from both machines. I have the Enroll Secret on the mac in

/etc/osquery/enrollment_secret

I have downloaded the server.pem certificate onto the mac, and copied it to

/var/osquery/server.pem

, also I have added it to the System in Keychain Access and set to Always Trust I am attempting to enroll from the mac with this command:

sudo osqueryd --enroll_secret_path=/etc/osquery/enrollment_secret --tls_server_certs=/var/osquery/server.pem --tls_hostname=192.168.1.115:8080 --host_identifier=elliott_macbookpro --enroll_tls_endpoint=/api/v1/osquery/enroll --config_plugin=tls --config_tls_endpoint=/api/v1/osquery/config --config_refresh=10 --disable_distributed=false --distributed_plugin=tls --distributed_interval=3 --distributed_tls_max_attempts=3 --distributed_tls_read_endpoint=/api/v1/osquery/distributed/read --distributed_tls_write_endpoint=/api/v1/osquery/distributed/write --logger_plugin=tls --logger_tls_endpoint=/api/v1/osquery/log --logger_tls_period=10

When I run that, I get the following error:

W1014 14:15:37.995653 377294272 tls_enroll.cpp:76] Failed enrollment request to <https://192.168.1.115:8080/api/v1/osquery/enroll> (Request error: certificate verify failed) retrying...

The server stdout shows:

2020/10/14 14:15:37 http: TLS handshake error from 192.168.1.104:54237: local error: tls: bad record MAC

Any pointers as to how to get the handshake to succeed?

Why does Fleet Web UI often fail to churn out data to deploy roughly 2,000 servers

@seph will 4.5 be pushed to Kolide Stable channel soon?

Hello Kolide. I'm wondering if there is a way to forcefully remove clients from Fleet or if they go away automatically at some interval (post MIA)?

Hello Kolide. After a timed query rule is issued, why does a log duplicate appear in kibana's displayed logs.

@Tej Gandhi I would recommend reading one of the community articles written on setting up Kolide Fleet (which can output logs to AWS). • https://medium.com/poka-techblog/kolide-fleet-on-aws-fargate-a-quick-start-guide-b77000025206 • https://blog.kolide.com/managing-osquery-with-kolide-launcher-and-fleet-b33b4536acb4 • https://kifarunix.com/install-and-setup-kolide-fleet-on-ubuntu-18-04/ If you need a turn-key solution you can also look at our SaaS offering which supports the configuration of packs and export of logs to various destinations. https://k2.kolide.com/signup

Okay, so it would make more sense to schedule this query to run; then use ELK or something to view the aggregation that I want to view?

Is any option to import query packs (or queries) from the console? I've got all the .conf files

Windows Server 2019, Launcher + autoupdate stable. Trying to enroll in Fleet, seeing the folllowing:

caller=level.go:63 level=info caller=extension.go:136 msg="extension interrupted" err="enrolling host: query enrollment details, (even with retries): done trying: query enrollment details: could not query the extension manager client: write field stop error: The pipe is being closed."

Any ideas?

Hello. I've installed osquery on hosts with kolide launcher with osquery versión stable and update channel stable. But when i'm querying those hosts the queries are taking forever and not returning nothing, i need to restart the services in the hosts in order to work.

Hello.It is stated in the official document that fleet needs to be offline to upgrade. Does this mean that Fleet services need to be stopped

Hello, may I ask if my fleet. Service configuration is like this? Can I directly perform Fleet Prepare DB during the upgrade of FLEET? Is Fleet Prepare DB the default user for Kolide? I really want to upgrade my Fleet 2.0 to 3.0

Hello, is there any way to update client's tls cert( 90000+) quickly?

Hello, does differentiore (lgnore Removals) mean Differential query?For example, when querying the server for an abnormal process, the content of the query in this hour is compared to the query in the last hour. If there are other processes in this hour, the result log will be generated. Another question is what does action: add mean in the results log.

hi all! I have Kolide Fleet 3.2.0 installed on CentOS 7.8.2003:

fleetctl - version 3.2.0

branch:       master

revision:     07534c766beb7bf9a022d29572d88493ecef8f7c

build date:   2020-10-08T19:25:24Z

build user:   zwass

go version:   go1.15

fleet version

fleet version 3.2.0

When I try to make a simple (in the same server):

fleetctl login

I get this error:

panic: runtime error: invalid memory address or nil pointer dereference

[signal SIGSEGV: segmentation violation code=0x1 addr=0x10 pc=0xa4d1c9]

goroutine 1 [running]:

<http://github.com/kolide/fleet/server/service.(*Client).url(...)|github.com/kolide/fleet/server/service.(*Client).url(...)>

/Users/zwass/dev/fleet/server/service/client.go:128

<http://github.com/kolide/fleet/server/service.(*Client).doWithHeaders(0x0|github.com/kolide/fleet/server/service.(*Client).doWithHeaders(0x0>, 0xc0c65a, 0x4, 0xc1934b, 0x14, 0xb7a320, 0xc000440000, 0xc00033c780, 0x5, 0x2000, ...)

/Users/zwass/dev/fleet/server/service/client.go:87 +0x69

<http://github.com/kolide/fleet/server/service.(*Client).Do(0x0|github.com/kolide/fleet/server/service.(*Client).Do(0x0>, 0xc0c65a, 0x4, 0xc1934b, 0x14, 0xb7a320, 0xc000440000, 0x4824fc, 0x18205e0, 0xc0000f2280)

/Users/zwass/dev/fleet/server/service/client.go:106 +0x19b

<http://github.com/kolide/fleet/server/service.(*Client).Login(0x0|github.com/kolide/fleet/server/service.(*Client).Login(0x0>, 0x10b6aa8, 0x1, 0x10b6aa8, 0x1, 0x0, 0x0, 0x0, 0x0)

/Users/zwass/dev/fleet/server/service/client_sessions.go:18 +0xfe

main.loginCommand.func1(0xc0000cef20, 0x0, 0xc0000cef20)

/Users/zwass/dev/fleet/cmd/fleetctl/login.go:70 +0xc6

<http://github.com/urfave/cli.HandleAction(0xb1f700|github.com/urfave/cli.HandleAction(0xb1f700>, 0xc0001eafa0, 0xc0000cef20, 0xc0000a9800, 0x0)

/Users/zwass/dev/go/pkg/mod/github.com/urfave/cli@v1.20.0/app.go:490 +0x82

<http://github.com/urfave/cli.Command.Run(0xc0d5c9|github.com/urfave/cli.Command.Run(0xc0d5c9>, 0x5, 0x0, 0x0, 0x0, 0x0, 0x0, 0xc1a218, 0x15, 0xc3dc2d, ...)

/Users/zwass/dev/go/pkg/mod/github.com/urfave/cli@v1.20.0/command.go:210 +0x9fb

<http://github.com/urfave/cli.(*App).Run(0xc000204b60|github.com/urfave/cli.(*App).Run(0xc000204b60>, 0xc00009a020, 0x2, 0x2, 0x0, 0x0)

/Users/zwass/dev/go/pkg/mod/github.com/urfave/cli@v1.20.0/app.go:255 +0x768

<http://github.com/urfave/cli.(*App).RunAndExitOnError(0xc000204b60)|github.com/urfave/cli.(*App).RunAndExitOnError(0xc000204b60)>

/Users/zwass/dev/go/pkg/mod/github.com/urfave/cli@v1.20.0/app.go:276 +0x53

main.main()

/Users/zwass/dev/fleet/cmd/fleetctl/fleetctl.go:44 +0x828

Any clue about how to handle this? I cannot find anythin in github/inet. Thanks for your help. M.