https://github.com/osquery/osquery logo
Powered by
Title
s

Saulo Guilhermino

05/11/2023, 8:09 PM
Hey everyone! I'm experiencing odd behavior in my Fleet deploy and would like to let you know as I think it's a bug: Recently there was a change in the users on my machine (a Ubuntu 22.04): a new user was added to the system (an active user whose shell is 
/usr/bin/zsh
). I expected this change to be reflected on the host details page in Fleet, but it never happened. I refetched a few times and nothing happened, until I decided to remove the machine from Fleet and wait for it to join again. Now that the machine has rejoined, users no longer load. I've already tested the 
usersQueryStr
query locally, used by the server to populate the host_users table, and it returns the desired users in 
osqueryi
. I'm currently using version 4.31.0 of Fleet.
I already looked for error logs on the server, but nothing related appeared. I only found lines related to failures in ingesting values referring to disk space: 
{
  "component": "http",
  "err": "error in query ingestion",
  "ingestion-err": "ingesting query disk_space_unix: strconv.ParseFloat: parsing \"73,010000000000005.0\": invalid syntax",
  "level": "error",
  "method": "POST",
  "took": "788.528233ms",
  "ts": "2023-05-11T20:09:53.017595007Z",
  "uri": "/api/v1/osquery/distributed/write"
}
k

Kathy Satterlee

05/11/2023, 9:29 PM
Can you check for any 
denylisted
errors in the logs?
What happens if you run the query as a live query through Fleet?
s

Saulo Guilhermino

05/11/2023, 9:38 PM
There are some 
denylisted
errors in the last 3 hours but my machine's 
hostID
is not one of them
When I run the query live it brings the results as expected
k

Kathy Satterlee

05/11/2023, 10:20 PM
Thanks @Saulo Guilhermino. Reaching out to the team for some input on this one.
s

Saulo Guilhermino

05/11/2023, 10:20 PM
No problem! Thanks for the support
k

Kathy Satterlee

05/11/2023, 10:24 PM
One thing that I should probably have you check (it's always the "obvious" things I miss)... Have you disabled host users, or overridden the detail query?
s

Saulo Guilhermino

05/11/2023, 10:31 PM
I haven't really messed with any settings in the meantime
I just removed two more hosts to perform the same test. An Ubuntu with OSQuery 5.8.2 and a Windows with OSQuery 5.8.1. Both have already rejoined but only Windows users are showing (along with disk information)
k

Kathy Satterlee

05/11/2023, 10:41 PM
Excellent test, thank you.
Can you grab the osquery logs from one of those Linux Hosts for me?
s

Saulo Guilhermino

05/11/2023, 10:52 PM
Sure!
Here are the logs for the osqueryd on my machine via journalctl
osqueryd.logs
And here are the logs for the last two days for my host on Fleet
osquery.logs
j

Jacob Burley

05/13/2023, 5:22 PM
Just wanna chime in and say that I have this issue too on 4.31.0, no changes made to the default host config. Fetching via live query returns expected results, I’ll check the other troubleshooting steps suggested on Monday :)
#fleetJoin Slack
Powered by