Hey everyone I m experiencing odd behavior in my Fleet deplo osquery #fleet

Hey everyone! I'm experiencing odd behavior in my ...

Saulo Guilhermino

05/11/2023, 8:09 PM

Hey everyone! I'm experiencing odd behavior in my Fleet deploy and would like to let you know as I think it's a bug: Recently there was a change in the users on my machine (a Ubuntu 22.04): a new user was added to the system (an active user whose shell is

/usr/bin/zsh

). I expected this change to be reflected on the host details page in Fleet, but it never happened. I refetched a few times and nothing happened, until I decided to remove the machine from Fleet and wait for it to join again. Now that the machine has rejoined, users no longer load. I've already tested the

usersQueryStr

query locally, used by the server to populate the host_users table, and it returns the desired users in

osqueryi

. I'm currently using version 4.31.0 of Fleet.

Saulo Guilhermino

05/11/2023, 8:14 PM

I already looked for error logs on the server, but nothing related appeared. I only found lines related to failures in ingesting values referring to disk space:

Copy code

{
  "component": "http",
  "err": "error in query ingestion",
  "ingestion-err": "ingesting query disk_space_unix: strconv.ParseFloat: parsing \"73,010000000000005.0\": invalid syntax",
  "level": "error",
  "method": "POST",
  "took": "788.528233ms",
  "ts": "2023-05-11T20:09:53.017595007Z",
  "uri": "/api/v1/osquery/distributed/write"
}

Kathy Satterlee

05/11/2023, 9:29 PM

Can you check for any

denylisted

errors in the logs?

Kathy Satterlee

05/11/2023, 9:31 PM

What happens if you run the query as a live query through Fleet?

Saulo Guilhermino

05/11/2023, 9:38 PM

There are some

denylisted

errors in the last 3 hours but my machine's

hostID

is not one of them

Saulo Guilhermino

05/11/2023, 9:40 PM

When I run the query live it brings the results as expected

Kathy Satterlee

05/11/2023, 10:20 PM

Thanks @Saulo Guilhermino. Reaching out to the team for some input on this one.

Saulo Guilhermino

05/11/2023, 10:20 PM

No problem! Thanks for the support

Kathy Satterlee

05/11/2023, 10:24 PM

One thing that I should probably have you check (it's always the "obvious" things I miss)... Have you disabled host users, or overridden the detail query?

Saulo Guilhermino

05/11/2023, 10:31 PM

I haven't really messed with any settings in the meantime

Saulo Guilhermino

05/11/2023, 10:36 PM

I just removed two more hosts to perform the same test. An Ubuntu with OSQuery 5.8.2 and a Windows with OSQuery 5.8.1. Both have already rejoined but only Windows users are showing (along with disk information)

Kathy Satterlee

05/11/2023, 10:41 PM

Excellent test, thank you.

Kathy Satterlee

05/11/2023, 10:42 PM

Can you grab the osquery logs from one of those Linux Hosts for me?

Saulo Guilhermino

05/11/2023, 10:52 PM

Sure!

Saulo Guilhermino

05/11/2023, 10:53 PM

Here are the logs for the osqueryd on my machine via journalctl

osqueryd.logs

Saulo Guilhermino

05/11/2023, 10:58 PM

And here are the logs for the last two days for my host on Fleet

osquery.logs

Jacob Burley

05/13/2023, 5:22 PM

Just wanna chime in and say that I have this issue too on 4.31.0, no changes made to the default host config. Fetching via live query returns expected results, I’ll check the other troubleshooting steps suggested on Monday :)

Kathy Satterlee

08/11/2023, 2:14 PM

Sorry @Saulo Guilhermino, I somehow missed those logs!

Saulo Guilhermino

08/11/2023, 2:24 PM

No problem, Kathy! 😄

4 Views

Open in Slack

Previous Next