https://github.com/osquery/osquery logo
Join Slack
Powered by
Hi team - I'm trying to add this osquery_flag in t...
# fleet
j
Hi team - I'm trying to add this osquery_flag in the yml agent options, 
es_fim_enable_open_events
, but get this error. Do I need to add it via fleetctl?
k
Hey @Jomaree Gammad, can you share the full config that you're applying?
j
Copy code
config:
  options:
    pack_delimiter: /
    logger_tls_period: 10
    distributed_plugin: tls
    disable_distributed: false
    logger_tls_endpoint: /api/osquery/log
    distributed_interval: 10
    distributed_tls_max_attempts: 3
    es_fim_enable_open_events: true
  decorators:
    load:
      - SELECT uuid AS host_uuid FROM system_info;
      - SELECT hostname AS hostname FROM system_info;
command_line_flags:
  disable_events: false
  disable_endpointsecurity: false
  disable_endpointsecurity_fim: false
g
Hey @Jomaree Gammad, 
es_fim_enable_open_events
believe should be under 
command_line_flags
key.
k
@Jomaree Gammad What version of Fleet are you running? That flag is not a command line flag, but it was recently added in osquery 5.10, so depending on Fleet version, the validation flow wouldn't recognize it as valid. I tested in our internal instance and it is accepted in v4.44.0 (which is pre-release), but I haven't looked in to specifically where it was added to the validation.
j
Hey both! Most of the devices are on 5.11.0. There are a bunch of devices that are on the older versions (5.8.1 or 5.9.1) but they haven't connected for a while. We just recently upgraded to 4.43.3 today.
I also tried to add it under command_line_flags but get the same error
k
Let me double-check, but I'm betting we added the flag to Fleet's validation in the release that just went out.
Yep! https://github.com/fleetdm/fleet/issues/16180 The ticket hasn't closed out yet because the release just happened, but it's in 4.44.0
If you want to get this applied before you're able to upgrade, you can skip the validation when applying the Agent Options as a yaml file with fleetctl.
That would look a bit like this: 1. Pull the current Fleet app config and save to file :
Copy code
fleetctl get config > config.yml
2. Modify the file to include the flag in your 
options
3. Apply the config and skip validation
Copy code
fleetctl apply -f config.yml --force
j
Sure let me try that since we just upgraded to 4.43.3 today.
I'm getting this
Copy code
➜  ~ fleetctl get config > config.yml
Warning: Version mismatch.
Client Version:   4.28.0
Server Version:  4.43.3
but i think i did get the file.
ok i edited the file and tried to apply
Copy code
➜  fleetdm fleetctl apply -f config.yml --force
Warning: Version mismatch.
Client Version:   4.28.0
Server Version:  4.43.3
Error: applying fleet config: PATCH /api/latest/fleet/config received status 400 Bad Request: unsupported key provided: "macos_settings"
k
Try updating fleetctl to 4.43.0 as well. If you’re using npm, it’s 
npm i -g fleetctl@v4.43.0
j
Now getting this error. I also tried to apply without the flag included but still get the same error. is a premium license needed for this?
Copy code
➜  fleetdm fleetctl apply -f config.yml --force
Error: applying custom settings: missing or invalid license
k
Not for this specifically, I suspect that it may have been because the config was fetched with the earlier version of 
fleetctl
. You can try pulling it again to see if there are some fields that are missing - there were some bugs in earlier versions that included keys for Premium features when you fetched config that caused these errors when you went to apply. Or you can try fetching a fresh version of the config.
j
I did perform a get config after upgrading to the newer fleetctl version.
k
If you'd like to send over a copy of your config, I can figure out what keys are causing the issue
And get a bug report together if there's an issue there.
j
hmm I also tried to remove the transparency part and get the same error 😢
for sure!
k
You can DM if you prefer
j
Will do!
k
Thanks for sending that over. It looks like the 
scripts
key was the culprit. I'll see if I can find a ticket for this, but it does seem to be resolved in v4.44.0
j
sounds good, thanks!
so would i need to upgrade to 4.44.0 to perform this? or just simply remove the 
scripts
key
k
Sorry, try just removing that key.
j
workeed! ➜ fleetdm fleetctl apply -f config.yml --force [+] applied fleet config
k
partydeploy
I verified for sure that we've got both the script issue fixed and the validations set up to support osquery 5.11 in the latest version, so I won't be creating a ticket for those, glad we got you up and running!
j
hi @Kathy Satterlee - bumping this again as I'm not seeing any results when I run a query from 
es_process_file_events
table. I think it's due to where I've put the flags required for this as it isn't a command line flag. We're trying to follow this guide but unsure where to format or put the osquery flags and the file_paths flag in the config yml file. We're still waiting on updating to 4.44.0 as we just solved our logging issue and waiting until thats fully approved and pushed. Here are part of our config file:
Copy code
apiVersion: v1
kind: config
spec:
  agent_options:
    command_line_flags:
      disable_endpointsecurity: false
      disable_endpointsecurity_fim: false
      disable_events: false
      es_fim_enable_open_events: true
    config:
      decorators:
        load:
        - SELECT uuid AS host_uuid FROM system_info;
        - SELECT hostname AS hostname FROM system_info;
      options:
        disable_distributed: false
        distributed_interval: 10
        distributed_plugin: tls
        distributed_tls_max_attempts: 3
        logger_tls_endpoint: /api/osquery/log
        logger_tls_period: 10
        pack_delimiter: /
    file_paths:
      aws:
      - /Users/*/.aws/*
      azure:
      - /Users/*/.azure/*.json
      chrome:
      - /Users/*/Library/Application\ Support/Google/Chrome/*/Bookmarks
      - /Users/*/Library/Application\ Support/Google/Chrome/*/Cookies
      - /Users/*/Library/Application\ Support/Google/Chrome/*/History
      - /Users/*/Library/Application\ Support/Google/Chrome/*/Login\ Data
  features:
    enable_host_users: true
    enable_software_inventory: true
  fleet_desktop:
    transparency_url: <https://fleetdm.com/transparency>
  host_expiry_settings:
    host_expiry_enabled: false
    host_expiry_window: 0
k
Copy code
I'll make sure we get this better documented!

    config:
      decorators:
        load:
          - SELECT uuid AS host_uuid FROM system_info;
          - SELECT hostname AS hostname FROM system_info;
      options:
        disable_distributed: false
        distributed_interval: 10
        distributed_plugin: tls
        distributed_tls_max_attempts: 3
        logger_tls_endpoint: /api/osquery/log
        logger_tls_period: 10
        pack_delimiter: /
      file_paths:
        aws:
          - /Users/*/.aws/*
        azure:
          - /Users/*/.azure/*.json
        chrome:
          - /Users/*/Library/Application\ Support/Google/Chrome/*/Bookmarks
          - /Users/*/Library/Application\ Support/Google/Chrome/*/Cookies
          - /Users/*/Library/Application\ Support/Google/Chrome/*/History
          - /Users/*/Library/Application\ Support/Google/Chrome/*/Login\ Data
j
thank you! I'll try this and get back to you!
Hey Kathy, where do these flags go?
Copy code
disable_endpointsecurity: false
disable_endpointsecurity_fim: false
disable_events: false
es_fim_enable_open_events: true
k
Those can go in either 
command_line_flags
or 
options
If you're using plain osquery, You'll need to use 
options
, 
command_line_flags
can only be set using fleetd.
j
this is what i have but getting the 
missing or invalid license error
when applying via fleetctl
Copy code
apiVersion: v1
kind: config
spec:
  agent_options:
    config:
      decorators:
        load:
        - SELECT uuid AS host_uuid FROM system_info;
        - SELECT hostname AS hostname FROM system_info;
      options:
        disable_endpointsecurity: false
        disable_endpointsecurity_fim: false
        disable_events: false
        es_fim_enable_open_events: true
        disable_distributed: false
        distributed_interval: 10
        distributed_plugin: tls
        distributed_tls_max_attempts: 3
        logger_tls_endpoint: /api/osquery/log
        logger_tls_period: 10
        pack_delimiter: /
      file_paths:
        aws:
          - /Users/*/.aws/*
        azure:
          - /Users/*/.azure/*.json
        chrome:
          - /Users/*/Library/Application\ Support/Google/Chrome/*/Bookmarks
          - /Users/*/Library/Application\ Support/Google/Chrome/*/Cookies
          - /Users/*/Library/Application\ Support/Google/Chrome/*/History
          - /Users/*/Library/Application\ Support/Google/Chrome/*/Login\ Data
k
Did you remove the 
scripts
key?
j
oh yeah! forgot it snuck in there when i retrieve the config file.. 😅
i got it to apply! does it take time for the change to take effect? i tried running this query 
SELECT * FROM es_process_file_events;
but getting blank/empty results from the table. am i missing anything else for this to work?
k
It can take a little while for hosts to check in and fetch the new config.
j
It looks like I'm still getting empty results when running the query on my device. I confirmed that the flags are set correctly on my device. Any ideas on what else could be missing? would i possibly need to have it in this format? https://osquery.slack.com/archives/C08VA8R6F/p1704823473238089?thread_ts=1704819344.077409&amp;cid=C08VA8R6F
k
What happens if you run your scheduled query as a live query?
j
I've been running this query as a live query: 
SELECT * FROM es_process_file_events;
k
j
Cool, I was able to enable FDA and run the test query stated in the doc. But still getting empty results when running 
SELECT * FROM es_process_file_events;
i tried changing the format of the file_paths similar to the one in this slack message, but still no luck 😓. maybe its the flags but not sure.. is there a way to check locally if the flags have been applied to my device?
Copy code
overrides:
        platforms:
          darwin:
            file_paths:
              aws:
              - /Users/*/.aws/*
              azure:
              - /Users/*/.azure/*.json
              chrome:
              - /Users/*/Library/Application\ Support/Google/Chrome/*/Bookmarks
              - /Users/*/Library/Application\ Support/Google/Chrome/*/Cookies
              - /Users/*/Library/Application\ Support/Google/Chrome/*/History
              - /Users/*/Library/Application\ Support/Google/Chrome/*/Login\ Data
k
You definitely don't want to go with the overrides route, unless you define all of your other options there as well.
You can query the 
osquery_flags
table to verify that the necessary flags have been applied.
I'd also check the 
osquery
logs on the host to look for any errors.
j
ah ok cool, thats what i've been checking and it looks like the flags are applied correctly. where would i check the logs locally again?
Hi Kathy, I was able to look at the logs and it looks like this may be the issue. I verified our ALB rules have the correct path but not sure why we're getting this error. I need to possibly check the ALB logs.
Copy code
2024-02-24T19:04:07-08:00 INF flags updates failed error="error getting flags from fleet: POST /api/fleet/orbit/config received status 502 unknown"
2024-02-24T19:04:47-08:00 INF flags updates failed error="error getting flags from fleet: POST /api/fleet/orbit/config received status 504 unknown"
2024-02-24T19:05:17-08:00 INF flags updates failed error="error getting flags from fleet: POST /api/fleet/orbit/config received status 503 unknown"
2024-02-24T19:34:40-08:00 INF flags updates failed error="error getting flags from fleet: POST /api/fleet/orbit/config: Post \"<https://fleetdm.XXXX.net/api/fleet/orbit/config>\": read tcp : read: operation timed out"
2024-02-25T16:21:27-08:00 INF flags updates failed error="error getting flags from fleet: POST /api/fleet/orbit/config: Post \"<https://XXXX.net/api/fleet/orbit/config>\": net/http: TLS handshake timeout"
2024-02-26T10:44:17-08:00 ERR interrupt for flags updater
k
You're on to something there! It looks like that host is not able to reach the config endpoint. It could be indiciative of issues in Fleet (the server logs would be useful there), but the types of errors you're seeing usually point to the Load balancer
11 Views
Open in Slack
PreviousNext
Powered by