Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

I need a cup of coffee...or several :disappointed: sorry about that

<@UDYEMLVJ7> try asking in <#C1XCLA5DZ|kolide>. They should be able to help with kolide specific stuff

Hi all, is there any way to update client's tls cert( 90000+) quickly? My server is kolide.

Hey, I recommend asking in the <#C1XCLA5DZ|kolide> channel. That's where the experts hang out :smile:

Does anyone know offhand when using osquery in tls refresh mode for the config profile, if there is a valid profile downloaded and a schedule of queries handed off to the scheduler, then comms to the tls config endpoint serving the profile are interupted for subsequent refreshes, does the Scheduler continue running the last successfully refreshed schedule of queries?

what if communication is in place, but the endpoint serving the configuration profile returns a 500?

I would expect it to continue using the old config. If it doesn't that's a bug IMO.

agreed.  gonna do some more digging and try to reproduce, but seeing some odd behavior.  I severed comms to the tls endpoint completely but osquery is continuing to run the previously downloaded schedule just fine.  so it seems like something with getting a connection but unexpected response.  old version of osquery I’m using, so also possible if it is a bug, it’s been addressed.  thanks <@U0JFM04MS>

Yeah trying it on osquery stable makes sense.

EDIT: Answered my own question but leaving this here for others.
Answer: <https://osquery.slack.com/archives/C235GUPH8/p1524761280000300>

If your Osquery TLS server serves a TLS certificate signed by a trusted authority like Digicert do you still need to place the pub cert on endpoints and use the `--tls_server_certs=` flag?

Found an answer to my question:

<https://osquery.slack.com/archives/C235GUPH8/p1524761280000300>

is there any way to force a refresh of the node key?

For a Fleet user I'd recommend deleting the host from Fleet -- that would cause a re-enrollment when the host next checks in and receives a `node_invalid` message.

I imagine there's some equivalent that could be done in any other TLS server implementation.

ah yeah we're not using fleet here (yet) :[

is the node key just `osquery.db/IDENTITY`?

This is relatively easy from the server. Less sure about the client. If you’re re-enrolling, do you need to keep any of the local state? (vs removing the entire database)

&gt; is the node key just osquery.db/IDENTITY?
I think probably not. The node key will be somewhere in the rocksdb database that I would expect to be opaque except when parsed by rocksdb.

<https://osquery.readthedocs.io/en/latest/deployment/remote/#remote-logging>

```{
  "node_invalid": false // Optional, return true to indicate re-enrollment.
}```

Can you specify `--tls_server_certs=...` more than once in a flags config? Like:

```--tls_hostname=<http://example.com|example.com>
--tls_server_certs=blah1
--tls_server_certs=blah2```

No, but you can put more than one cert into the file :slightly_smiling_face:

Hi all! I'm trying to configure mTLS (FleetDM), but I can't find anything about it in the documentation and the client generated by the packer doesn't support keys for client authentication. Is it possible?

hello all. I’m stucking in a problem. My server has wildcard certificate *.<http://test.company.com|test.company.com> and the FQDN is <http://final.test.company.com|final.test.company.com> when a try to make a enroll the osquery return `Failed enrollment request to <https://final.test.company.com/api/osquery/enroll> (No node key returned from TLS enroll plugin) retrying...`

This looks like a Fleet issue... Our team can help you out further over in <#C01DXJL16D8|fleet>. Looks like your cert is being handled fine though!

Try turning on `--tls_dump` so that you can see what osquery is sending. Probably the enroll secret is not configured properly.

Hi <@U0JFM04MS> thank you. I’ll post my question in <#C01DXJL16D8|fleet>

I’m using --tls_dump. When I get de body dump from enroll request and send via CURL works fine. and fleet return node_key.

When a make curl on /api/osquery/enroll and send the body everything works fine. is possible use osquery with wildcard certificates?

Hey folks, I'm writing a carve endpoint for our osquery server, but I'm confused on the format I should be returning errors to the client in. Any pointers here? I've been reading through the docs trying to find the answer too

I'm pretty sure it should just be `{"message":"a message","status":1}` , I could also be misinterpreting the client code for how it's supposed to log errors from the carve start endpoint

Okay, I'm still a bit lost here. I'm expecting <https://github.com/osquery/osquery/blob/master/osquery/carver/carver.cpp#L220> to log something when my server returns an error code of 500 and a body like above w/ a json content type

the client seems to not return when i expect and instead hits <https://github.com/osquery/osquery/blob/master/osquery/carver/carver.cpp#L322>

Hi, everyone! I am struggling with json parsing error during using TLS logger plugin. Maybes someone can help me with this. Details in the thread.

Error:
```Jun 23 15:46:05 ubuntu osqueryd[30443]: I0623 15:46:05.730775 30469 buffered.cpp:90] Error sending status to logger: Cannot parse JSON: Invalid value. Offset: 0```

same closed issue on GitHub <https://github.com/osquery/osquery/issues/6525>

I am not using fleet or similar server-service, but custom proxy service have written on go.

Your server is probably not returning json. (Or is mingling headers into the body, or something)

You’ll need to see the actual http response to tell. Can you curl it?

Basically, I’m saying there’s a bug in your http server. 

Ah. We do have a `-tls_dump` debugging flag. <https://osquery.readthedocs.io/en/stable/deployment/debugging/|https://osquery.readthedocs.io/en/stable/deployment/debugging/> so that might be simplest

Hi, <@U7QP20JQH>. You was right. The problem was in incorrect server settings, and the error on the osquery side arises when it receives NOT json response from server.