Hi all - when I look at a single host in the Hosts...
# fleetm
Mike S.
02/05/2024, 11:41 PMHi all - when I look at a single host in the Hosts section, there is a spot where the Public IP is displayed. Where is that data sourced from? Is this a backend query? I'd like to use that public IP data in other queries.
k
Kathy Satterlee
02/05/2024, 11:45 PMFleet attempts to grab that from common http headers when processing incoming requests:
https://fleetdm.com/docs/deploy/public-ip
m
Mike S.
02/05/2024, 11:46 PMThanks Kathy! Does that data get deposited into a table anywhere?
k
Kathy Satterlee
02/05/2024, 11:46 PMIt's in the hosts table in Fleet, but not reachable with
osquerym
Mike S.
02/05/2024, 11:47 PMBummer, ok.
k
Kathy Satterlee
02/05/2024, 11:48 PMWe were originally getting Public IP with a query, but it proved to be a bit unreliable, and still required additional processing in Fleet
m
Mike S.
02/05/2024, 11:50 PMYeah, I was hoping this would work since curling the IP isn't reliable, as you said
k
Kathy Satterlee
02/05/2024, 11:50 PMDepending on what environment the host is in, you could in theory run a query through the curl table
Kathy Satterlee
02/05/2024, 11:50 PMLol
m
Mike S.
02/05/2024, 11:50 PMUnfortunately the curl table fails more often than not due to certificate issues.
k
Kathy Satterlee
02/05/2024, 11:51 PMIt's a little sticky.
Kathy Satterlee
02/05/2024, 11:54 PMI have a completely non-fleshed-out idea that I might try out:
1. Set up a local cron job that :
a. uses curl to hit an API and fetch the publicIP
b. Writes the result to file
2. Use
file_linesplistKathy Satterlee
02/05/2024, 11:54 PMWould still likely not be 100% accurate all of the time, but could do the trick.