https://github.com/osquery/osquery logo
Join Slack
Powered by
Can anyone think of why some hosts have blank valu...
# fleet
c
Can anyone think of why some hosts have blank values for a bunch of common fields when I query them via the 
/fleet/hosts
endpoint? The UI shows the correct data but the API is returning blank values.
Copy code
{
  "version": "4.32.0",
  "branch": "HEAD",
  "revision": "9055564b0c1529bfa9b3a00df961bf6188ddf53b",
  "go_version": "go1.20.1",
  "build_date": "2023-05-24",
  "build_user": "runner"
}
oh, disregard, somehow a host with the same serial ended up enrolled twice in fleet. not sure how that happens 🤔
r
@clong the machine was online when we have same serial number?
c
yeah, it actually looks like this is happening a lot with our newly enrolled machines
we're using orbit to enroll and this seems to just have started happening recently
odd thing is, if i delete the host entries that have no information, they come back
i have no idea if this is a bug in fleet or something messed up with how im doing enrollment with orbit
l
Hi @clong! What version of Orbit are you using? What OS do these devices have? Not long ago we fixed an issue in Orbit related to empty host entries (#9132).
c
@Lucas Rodriguez They're running 13.4 and I'm actually not sure about the orbit version, I used 
fleetctl package
to create the installer. how can I check?
l
Ah, macOS 13.4?
To check for orbit version in the host you can use:
Copy code
/opt/orbit/bin/orbit/orbit --version
c
ah, ty! will check
what versions are affected and what version was the fix present?
l
The issue was fixed in 1.8.0
c
@Lucas Rodriguez thank you for all the help here, i really appreciate it. If I use 
fleetctl package
to create my package, is there a way i can find out the version of orbit being bundled in it somehow?
l
To check what might be going on please take a look at
Copy code
sudo vim /var/log/orbit/orbit.stderr.log
If I use 
fleetctl package
to create my package, is there a way i can find out the version of orbit being bundled in it somehow?
Not easily, you can extract the package with 
pkgutil
. But if you are generating a package today then it will use latest version of all components (orbit - 1.10.0) by default.
c
perfect - sounds good!
is the version of orbit tied to the version of fleet that is running, or it just goes and pulls the latest orbit code?
l
Pulls latest, totally separate from the Fleet server.
c
sounds great. will get that updated package deployed, check the logs and post back here when done. really really appreciate the help!
Hmm looks like it's already running orbit 1.10
is there anything i should be looking for in the logs related to this specific issue?
could this be because I'm using hostname as the 
host_identifier
?
Copy code
cat /opt/orbit/osquery.flags
--host_identifier=hostname
--logger_snapshot_event_type=true
I tried uninstalling orbit and reinstalling with a newly created package, same issue
it looks like orbit is passing both 
--host_identifier=uuid
and 
--flagfile /opt/orbit/osquery.flags
on the CLI. which will take priority? the CLI flag or the value in the flagfile? Are the orbit cli flags configurable?
Are the orbit cli flags configurable?
NVM, I forgot I did this in our config:
Copy code
---
apiVersion: v1
kind: config
spec:
  agent_options:
    command_line_flags:
      host_identifier: hostname
      logger_snapshot_event_type: true
Which is probably how they ended up in 
/opt/orbit/osquery.flags
l
Ah, yes, setting 
--host_identifier=hostname
will cause this issue you are seeing. Orbit currently works by running osquery with 
--host_identifier=uuid
(hardcoded).
c
oh, bummer 😞
since agent options in the fleet config are only for orbit at this time, i would consider blacklisting certain options if they're going to cause issues
l
Totally agree. I'll create an issue to prevent this from happening.
For future reference, here's the issue: #12349.
2 Views
Open in Slack
PreviousNext
Powered by