https://github.com/osquery/osquery logo
Join Slack
Powered by
I'm running on Microsoft cloud based Linux, which ...
# fleet
r
I'm running on Microsoft cloud based Linux, which is based on Fedora. I'm running on an ARM64. I install the prebuilt osqueryd https://github.com/osquery/osquery/releases/download/5.9.1/osquery-5.9.1-1.linux.aarch64.rpm and drop in osquery.flags, osquery.conf, fleet.pm, secret.txt in the same place with same contents as I do on Ubuntu machines. The osqueryd starts running, successfully "phones home" for the 1st time, and the host is shown on the fleet webapp, so all is good until now. However, "disk space available" shows "No data available", and the fields for Private IP address and Public IP address are shown as blank. Running strace on the osqueryd shows plausible periodic traffic from my master machine. Suggestions on how to debug this issue?
k
Hey @Robert R. Henry Are you able to run live queries against that host? You could try the disk space query as a test:
Copy code
SELECT (blocks_available * 100 / blocks) AS percent_disk_space_available,
       round((blocks_available * blocks_size *10e-10),2) AS gigs_disk_space_available
FROM mounts WHERE path = '/' LIMIT 1;
The most likely culprit is that this particular distro doesn't have things in the exact places the detail queries are looking for them. Running a live query will confirm for sure whether communication is happening.
r
On the machine I want to monitor, as myself,; for about 128 or so tables, doing 
echo "select * from $table;" | osqueryi
returns tables that look entirely plausible and useful.
cat demo.osqueryi | osqueryi E0706 095447.207604 1375054 mounts.cpp:104] statfs failed with errno 13 on path /boot/efi E0706 095447.207664 1375054 mounts.cpp:104] statfs failed with errno 13 on path /sys/kernel/debug/tracing +------------------------------+---------------------------+ | percent_disk_space_available | gigs_disk_space_available | +------------------------------+---------------------------+ | 25 | 98.66 | +------------------------------+---------------------------+
k
Good deal. In that case, it sounds like a communication issue. Are you able to run that query as a live query in Fleet and get results?
I'd also like to see the contents of that 
osquery.flags
file.
r
Copy code
I am able to run the live query from the fleet GUI served to port 8080 from my machine hosting fleet.  The live query got a plausible answer,
Copy code
The contents of the machine-to-be-monitored file /etc/osquery/osquery.flags is
Copy code
# Server
--tls_hostname=<http://xxxxx-ubnt-03.xxxx.corp.microsoft.com:8080|xxxxx-ubnt-03.xxxx.corp.microsoft.com:8080>
--tls_server_certs=/etc/osquery/fleet.pem
# Enrollment
--host_identifier=instance
--enroll_secret_path=/etc/osquery/secret.txt
--enroll_tls_endpoint=/api/osquery/enroll
# Configuration
--config_plugin=tls
--config_tls_endpoint=/api/v1/osquery/config
--config_refresh=10
# Live query
--disable_distributed=false
--distributed_plugin=tls
--distributed_interval=10
--distributed_tls_max_attempts=3
--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read
--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write
# Logging
--logger_plugin=tls
--logger_tls_endpoint=/api/v1/osquery/log
--logger_tls_period=10
# File carving
--disable_carver=false
--carver_start_endpoint=/api/v1/osquery/carve/begin
--carver_continue_endpoint=/api/v1/osquery/carve/block
--carver_block_size=2000000
--verbose
Aha. I begin to smell smoke. The fleet GUI is not displaying anything involving network and mac addresses for the servers of interest, but it does display things like the architecture, uptime, etc. Of course it is the network ipv4 I want 🙂 I'll dig into osqueryd's code that tries to get network conf info.
OK, you can close this "ticket". The missing two fields fleet does not display for my server of interest are for "Public IP address" and "Private IP address". My servers are in an undisclosed location, through I don't know how many bridges, etc. Since https://github.com/fleetdm/fleet/blob/main/docs/Deploying/Configuration.md#public-ips-of-devices emphasizes the heuristics used to recover the Public IP and Private IP, I suspect those heuristics are failing me.
Of course, I'm running osquery and fleet precisely to get fresh pairings of the network ipv4 and the hostname. In my world, DNS is partitioned, and is focused on the other operating system.
2 Views
Open in Slack
PreviousNext
Powered by