Hi Community, we are getting the following error i...
# fleetd
Darshal Shah
01/23/2024, 7:11 PMHi Community, we are getting the following error in osquery status log, when we try to run the following scheduled query
select * from rpm_packages; Copy code
","severity":"1","filename":"config.cpp","line":"326","message":"Scheduled query may have failed: pack/Global/rpm_packages","version":"5.9.1","decorations":Darshal Shah
01/25/2024, 2:09 PMcan someone please help?
g
Grant Bilstad
01/25/2024, 4:56 PMWhat version of Fleet are you running into this on @Darshal Shah?
d
Darshal Shah
01/25/2024, 5:17 PM4.28.0
Darshal Shah
01/25/2024, 5:17 PM@Grant Bilstad
Darshal Shah
01/25/2024, 6:04 PMWe really need this query to work for compliance reasons
k
Kathy Satterlee
01/29/2024, 6:51 PMHey @Darshal Shah! It sounds as though this query may have been running when the osquery watchdog was triggered. A good way to test this is to look at the osquery_schedule table to see if the query is denylisted.
d
Darshal Shah
01/29/2024, 9:02 PMHey @Kathy Satterlee I ran the following query
SELECT name, query FROM osquery_schedule WHERE denylisted='1';select * from rpm_packages;--disable_watchdog=trueDarshal Shah
01/29/2024, 9:02 PMdoes it go in agent option under command_line_flags?
k
Kathy Satterlee
01/29/2024, 9:19 PMYou should see results for hosts that did not fail. The denylist does only last 24 hours by default, so it could be that some hosts have timed out and successfully run the query again, depending on how long ago you saw those errors.
Kathy Satterlee
01/29/2024, 9:21 PMUse caution when totally disabling the watchdog. I'd take a look at all of the denylisted queries first to see if you find any trends there. It could be this query itself that caused the watchdog to trigger, but it could also be another query that was running at the same time. The denylist just applies to anything running at the time the watchdog was triggered.
2 Views