https://github.com/osquery/osquery logo
Join Slack
Powered by
<https://osquery.slack.com/archives/CBLGAN1HD/p168...
# fleet
a
d
More information:
Copy code
√ ; sudo systemctl is-active  clamav-freshclam
active
√ ; procs freshclam
 PID:▲  User       │ TTY CPU MEM CPU Time │ Command
                   │     [%] [%]          │
 430207 clamupdate │     0.0 0.0 00:00:00 │ /usr/bin/freshclam -d --foreground=true
It is definitely running… 🤔
It would be nice to see what commands fleet uses to find out what goes wrong. I have the same issue with ssh keys: one of them does not have a password. Which one? ¯\_(ツ)_/¯
k
When you refreshed Fleet, did you also run a refetch for the host's information? What happens if you run the policy query manually?
d
I think so… There's a refesh button in the UI, which is what I used. How do I run the query manually?
Copy code
√ ; fleetctl query --query 'SELECT score FROM (SELECT case when COUNT(*) = 2 then 1 ELSE 0 END AS score FROM processes WHERE (name = 'clamd') OR (name = 'freshclam')) WHERE score == 1;'  --labels='All Hosts'
{"host":"<http://nightwatch.neverness.org|nightwatch.neverness.org>","rows":[],"error":"no such column: clamd"}
[…]
✗ 130 ;
My bad! My shell was not parsing the query properly. This is better:
Copy code
√ ; fleetctl query --query "SELECT score FROM (SELECT case when COUNT(*) = 2 then 1 ELSE 0 END AS score FROM processes WHERE (name = 'clamd') OR (name = 'freshclam')) WHERE score == 1;"  --labels='All Hosts'
{"host":"<http://nightwatch.neverness.org|nightwatch.neverness.org>","rows":[]}
 100% responded (100% online) | 8/8 targeted hosts (8/8 online)
√ ;
Is that the correct query? 🤔 I pulled it out of the UI.
l
Hi @Dr Yann Golanski! According to the description, the query: 
Checks that both ClamAV's daemon and its updater service (freshclam) are running.
To troubleshoot, you could check if both are processes are actually running by running a simpler query:
Copy code
fleetctl query --query "SELECT * FROM processes WHERE (name = 'clamd') OR (name = 'freshclam');"  --labels='All Hosts'
d
clamd
was not running. Thank you.
Open in Slack
PreviousNext
Powered by