https://github.com/osquery/osquery logo
Join Slack
Powered by
I've got some `detail_query_overrides` configured ...
# fleet
j
I've got some 
detail_query_overrides
configured in Fleet but I believe the 
network_interface_windows
I've set is not being sent to node. In fact, I see that the default value for that query is being sent instead. Any ideas?
partial config file looks like this:
Copy code
features:
  enable_host_users: false
  enable_software_inventory: false
  detail_query_overrides:
    disk_encryption_linux: null
    disk_encryption_windows: null
    disk_space_unix: null
    disk_space_windows: null
    network_interface_unix: "SELECT ia.address, id.mac FROM interface_addresses ia JOIN interface_details id ON id.interface = ia.interface JOIN routes r ON r.interface = ia.interface WHERE r.type = 'gateway' ORDER BY r.netmask asc, r.metric ASC, inet_aton(ia.address) IS NOT NULL DESC LIMIT 1"
    network_interface_windows: "SELECT  ia.address, id.mac FROM interface_addresses ia JOIN interface_details id ON id.interface = ia.interface JOIN routes r ON r.interface = ia.address WHERE r.destination = '0.0.0.0' AND r.netmask = 0 AND r.type = 'remote' AND (inet_aton(ia.address) is not null) LIMIT 1"
    disk_encryption_darwin: null
And I'm pretty sure the other overrides are working as expected.
When I look at a Windows node, this is the query that Fleet is sending it when it hits the 
distributed/read
endpoint:
Copy code
"fleet_detail_query_network_interface_windows": "SELECT\n    ia.address,\n    id.mac\nFROM\n    interface_addresses ia\n    JOIN interface_details id ON id.interface = ia.interface\n\t-- On Unix ia.interface is the name of the interface,\n\t-- whereas on Windows ia.interface is the IP of the interface.\n    JOIN routes r ON r.interface = ia.address\nWHERE\n\t-- Destination 0.0.0.0/0 is the default route on route tables.\n    r.destination = '0.0.0.0' AND r.netmask = 0\n\t-- Type of route is \"gateway\" for Unix, \"remote\" for Windows.\n    AND r.type = 'remote'\n\t-- We are only interested on private IPs (some devices have their Public IP as Primary IP too).\n    AND (\n\t\t-- Private IPv4 addresses.\n\t\tinet_aton(ia.address) IS NOT NULL AND (\n\t\t\tsplit(ia.address, '.', 0) = '10'\n\t\t\tOR (split(ia.address, '.', 0) = '172' AND (CAST(split(ia.address, '.', 1) AS INTEGER) \u0026 0xf0) = 16)\n\t\t\tOR (split(ia.address, '.', 0) = '192' AND split(ia.address, '.', 1) = '168')\n\t\t)\n\t\t-- Private IPv6 addresses start with 'fc' or 'fd'.\n\t\tOR (inet_aton(ia.address) IS NULL AND regex_match(lower(ia.address), '^f[cd][0-9a-f][0-9a-f]:[0-9a-f:]+', 0) IS NOT NULL)\n\t)\nORDER BY\n    r.metric ASC,\n\t-- Prefer IPv4 addresses over IPv6 addresses if their route have the same metric.\n\tinet_aton(ia.address) IS NOT NULL DESC\nLIMIT 1;",
k
I suspect the quotes are responsible.
This should do the trick:
Copy code
features:
 enable_host_users: false
 enable_software_inventory: false
 detail_query_overrides:
  disk_encryption_linux: null
  disk_encryption_windows: null
  disk_space_unix: null
  disk_space_windows: null
  network_interface_unix: SELECT ia.address, id.mac FROM interface_addresses ia JOIN interface_details id ON id.interface = ia.interface JOIN routes r ON r.interface = ia.interface WHERE r.type = 'gateway' ORDER BY r.netmask asc, r.metric ASC, inet_aton(ia.address) IS NOT NULL DESC LIMIT 1
  network_interface_windows: SELECT ia.address, id.mac FROM interface_addresses ia JOIN interface_details id ON id.interface = ia.interface JOIN routes r ON r.interface = ia.address WHERE r.destination = '0.0.0.0' AND r.netmask = 0 AND r.type = 'remote' AND (inet_aton(ia.address) is not null) LIMIT 1
  disk_encryption_darwin: null
If I'm right, I'll add a note to the docs.
j
Thanks. I'll give it a go!
No luck. I removed the double-quotes around the SQL in the config file, restarted fleet, and the same default query is still being sent.
Also, the 
fleet_detail_query_network_interface_unix
does match what's in the config file and that is being sent to Linux platform nodes. /me shakes fist at Windows
k
Darn, I had a run-in with detail queries just last week and that was the issue then.
If you pull the config again with 
fleetctl get config
, what comes back?
j
The 
network_interface_windows
line is missing!
k
So the issue lies somewhere in setting the config.
When you updated without the quotes, did you remove them from both?
j
yes.
k
Do your versions of 
fleetctl
and Fleet line up?
Assuming that you're using fleetctl,...
j
Yes.
k
Brilliant. What version are you working with? I'll give it a test as soon as I'm able
j
4.29.1 🤪
k
If you'd also be willing to make a small tweak to the Unix version, or temporarily delete it, I'd love to know if that applies correctly.
j
I've parsed the yaml in Python as a smoke test. No smoke detected.
Copy code
>>> import yaml
>>> f = open("fleet.yml", mode="r")
>>> y = yaml.safe_load(f)
>>> y['features']['detail_query_overrides']['network_interface_windows']
"SELECT ia.address, id.mac FROM interface_addresses ia JOIN interface_details id ON id.interface = ia.interface JOIN routes r ON r.interface = ia.address WHERE r.destination = '0.0.0.0' AND r.netmask = 0 AND r.type = 'remote' AND (inet_aton(ia.address) is not null) LIMIT 1"
Let me see if I can make a harmless tweak to network_interface_unix - testing in prod. 🙂
Actually, it looks like the change I made to 
network_interface_unix
just now didn't show up using 
fleetctl get config
- in fact, it looks like a previous version of the config from a while back.
I see those configs stored in the DB:
Copy code
MySQL [opens]> select json_value->>'$.features' from app_config_json\G
*************************** 1. row ***************************
json_value->>'$.features': {"enable_host_users": false, "detail_query_overrides": {"disk_space_unix": null, "disk_space_windows": null, "disk_encryption_linux": null, "network_interface_unix": "SELECT ia.address, id.mac FROM interface_addresses ia JOIN interface_details id ON id.interface = ia.interface JOIN routes r ON r.interface = ia.interface WHERE r.destination = '0.0.0.0' AND r.netmask = 0 AND r.type = 'gateway' ORDER BY r.metric ASC, inet_aton(ia.address) IS NOT NULL DESC LIMIT 1", "disk_encryption_windows": null}, "enable_software_inventory": false}
and that is the old query for 
network_interface_unix
and the config for windows is missing. 🕵️‍♂️
k
What does the updated_at timestamp look like for that?
j
it's old. 
2023-07-10 07:23:07
I am willing and able to update the queries in the DB.
And I have done so. 
fleetctl get config
now shows the correct and expected results. Now to see if those queries will be used by Fleet as intended. cheers
Anecdotal evidence shows it appears to have worked. The number of Windows nodes missing their 
primary_ip
is shrinking.
g
if these trends continue
j
I may have been assuming Fleet loads and uses its config file when it starts. It does log a message to indicate that. Maybe using 
fleetctl apply
would have been the correct route?
Using config file: /usr/local/fleet/conf/fleet.yml
is what I saw in the log.
k
Interesting. I'd expect the same. I'll definitely take a poke at more recent versions to see if that's still what's happening and, if it is, get a ticket put together make it clear that the file is only read if config is not already saved.
I wouldn't expect that to be read every time because there may have been more recent config applied with 
fleetctl
or through the API
j
You still helped me solve the problem. Thank you!
2 Views
Open in Slack
PreviousNext
Powered by