Hi all Hoping you can assist with a Windows agent issue Whil osquery #fleet

Hi all! Hoping you can assist with a Windows agen...

Mike S.

04/12/2023, 9:58 PM

Hi all! Hoping you can assist with a Windows agent issue: While looking into an issue with Windows hosts intermittently pulling vitals and not returning live query results, I found an error after installing the Fleet Windows agent on Win10/11/Server 2019: INF Service Stop Requested 2023-04-10T184945Z ERR unexpected exit error="os service stop request" It looks like this is occurring every 25-30 minutes. The package was generated on a Linux system (working on getting a Windows system to test package generation) with these flags: fleetctl package --type=msi --fleet-url=<URL> -enroll-secret=<SECRET> —FLEET_SERVER_TLS=false --logger_plugin=filesystem,aws_firehose --verbose=true --debug=true Let me know what other info I can provide!

zwass

04/13/2023, 1:09 AM

The system the package was generated on should not make a difference (either way it uses a container to generate the MSI).

zwass

04/13/2023, 1:11 AM

Your package command looks a bit unusual though... After the enroll secret you have

FLEET_SERVER_TLS=false

which is neither a

fleetctl

flag nor an osquery flag (it is a Fleet server flag though). If you remove the rest of those options do you still have the error?

Lucas Rodriguez

04/13/2023, 1:56 PM

Hi folks. And also

--logger_plugin=filesystem,aws_firehose

is not a

fleetctl package

flag.

Lucas Rodriguez

04/13/2023, 1:57 PM

If the issue persists, please check log lines previous to

2023-04-10T18:49:45Z ERR unexpected exit error="os service stop request"

(in

C:\Windows\system32\config\systemprofile\AppData\Local\FleetDM\Orbit\Logs\orbit-osquery.log

)

Mike S.

04/13/2023, 3:19 PM

Thanks all - obviously I have some reading to do on which flag goes where! Let me do some research and I'll follow up.

Open in Slack

Previous Next