https://github.com/osquery/osquery logo
Join Slack
Powered by
I'm searching on web, and in this slack channel, b...
# fleet
c
I'm searching on web, and in this slack channel, but not finding what I'm needing. Can someone point me in the right direction on how to get the fleet agent installed on a Gentoo Linux system?
g
Greetings @CodeBleu, Can find Fleet's supported host OS on our site. 
fleetctl package
only packages .deb, and .rpm for Linux.
c
Thanks @Grant Bilstad It's just confusing because i see things in github that talk about Gentoo and portage. If i get 
osquery
to work, is that good enough to have it connect to fleet dm?
g
Yep, Fleet supports talking with plain osquery @CodeBleu. Have to make sure to configure enroll secret, certs, and such. Osquery has a nice doc on installing and running.
c
I'm looking at what was packaged for an RPM and see a file in there called 
launcher
is that needed, or can i just get osquery running and be able to get it to work with Fleet? I think I might be close, as I have it running ( I think ) , but not seeing anything in Fleet
I have 
osquery
installed and appears to be working for the most part. The only thing I'm not able to figure out is why it's not trying to communicate to my fleet server on port 8090. I have verified with 
nc
, and 
openssl
that i can connect and the cert works, I've also manually ran 
osqueryd
with the flags directly after the command and not use the flag file. I don't see any errors, but I also dont see any attempts to talk to my fleet server. I even see info in my 
osqueryd.results.log
that have status of 
"action": "added"
Any help on how I can figure out why there is no communication attempts from 
osqueryd
would be greatly appreciated.
Copy code
osqueryd --config_plugin=filesystem --config_path=/etc/osquery/osquery.conf --tls_server_certs=fleet_roots.pem --tls_hostname=10.10.10.10:8090 --enroll_secret_path=fleet_secret --verbose --tls_dump
I0212 17:15:18.401388 17574 init.cpp:413] osquery initialized [version=5.11.0]
I0212 17:15:18.401480 17574 extensions.cpp:453] Could not autoload extensions: Cannot open file for reading: /etc/osquery/extensions.load
I0212 17:15:18.401525 17574 dispatcher.cpp:78] Adding new service: WatcherRunner (0x5635ef842ba8) to thread: 140618691180224 (0x5635ef800580) in process 17574
I0212 17:15:18.402818 17575 watcher.cpp:720] osqueryd watcher (17574) executing worker (17577)
I0212 17:15:18.410466 17577 init.cpp:410] osquery worker initialized [watcher=17574]
I0212 17:15:18.410550 17577 dispatcher.cpp:78] Adding new service: WatcherWatcherRunner (0x55fd32897308) to thread: 140188265019072 (0x55fd32894af0) in process 17577
I0212 17:15:18.410584 17577 rocksdb.cpp:90] Opening RocksDB handle: /var/osquery/osquery.db
I0212 17:15:18.523155 17577 dispatcher.cpp:78] Adding new service: ExtensionWatcher (0x55fd329f2a78) to thread: 140187724146368 (0x55fd329ab620) in process 17577
I0212 17:15:18.523241 17577 dispatcher.cpp:78] Adding new service: ExtensionRunnerCore (0x55fd329eb7a8) to thread: 140187732539072 (0x55fd328a6d10) in process 17577
I0212 17:15:18.523291 17577 auto_constructed_tables.cpp:99] Removing stale ATC entries
I0212 17:15:18.523293 17710 interface.cpp:299] Extension manager service starting: /var/osquery/osquery.em
I0212 17:15:18.711285 17577 smbios_tables.cpp:106] Reading SMBIOS from sysfs DMI node
I0212 17:15:18.711665 17577 eventfactory.cpp:156] Event publisher not enabled: BPFEventPublisher: Publisher disabled via configuration
I0212 17:15:18.711827 17577 eventfactory.cpp:156] Event publisher not enabled: auditeventpublisher: Publisher disabled via configuration
I0212 17:15:18.711838 17577 eventfactory.cpp:156] Event publisher not enabled: inotify: Publisher disabled via configuration
I0212 17:15:18.711849 17577 eventfactory.cpp:156] Event publisher not enabled: syslog: Publisher disabled via configuration
I0212 17:15:18.711916 17577 events.cpp:70] Skipping subscriber: apparmor_events: Subscriber disabled via configuration
I0212 17:15:18.711977 17577 events.cpp:70] Skipping subscriber: process_file_events: Subscriber disabled via configuration
I0212 17:15:18.711987 17577 events.cpp:70] Skipping subscriber: seccomp_events: Seccomp subscriber disabled via configuration
I0212 17:15:18.711997 17577 events.cpp:70] Skipping subscriber: selinux_events: Subscriber disabled via configuration
I0212 17:15:18.712007 17577 events.cpp:70] Skipping subscriber: socket_events: Subscriber disabled via configuration
I0212 17:15:18.712410 17577 loader.cpp:45] No experiments selected
I0212 17:15:18.712447 17577 main.cpp:104] Not starting the distributed query service: Distributed query service not enabled.
I0212 17:15:18.712510 17577 dispatcher.cpp:78] Adding new service: SchedulerRunner (0x55fd32af6118) to thread: 140188214662848 (0x55fd32b18c10) in process 17577
I0212 17:15:18.712502 17715 eventfactory.cpp:390] Starting event publisher run loop: udev
j
Maybe you need more command line flags, such as
Copy code
--config_plugin=tls
--logger_plugin=tls
See more at https://osquery.readthedocs.io/en/stable/installation/cli-flags/
c
Thanks @John Speno. I figured out it was missing the distributed settings in the conf file. Now I see it communicating to my fleet server, but now I get this.
Copy code
Failed enrollment request to <https://10.10.10.10:8090> (Cannot parse JSON: Invalid value. Offset: 0) retrying...
k
Hey @CodeBleu. It sounds like you may not have the 
enroll_tls_endpoint
set up, so your enroll request is going to the root route rather than the enroll API.
You can check out the full list of remote TLS settings for osquery here.
You can also go to 
Hosts > Add Hosts > Advanced  > Plain osquery
in the Fleet UI for a walkthrough on adding hosts, including downloadable files for your osquery flags, enroll secret, and server certificates.
c
@Kathy Satterlee thanks for your input. If I add config_tls_endpoint and/or enroll_tls_endpoint I stop getting logs on my local system in /var/log/osquery directory. 1. How can I fix it to still get logs when I enable them so I can see what is going on? 2. what exactly is the path in fleet for each of those endpoints?
k
If you want to get the osquery logs locally as well as through Fleet, you can set the 
logger_plugin
to 
tls,filesystem
. In Fleet, osquery logs are handled based on your configured logging destination.
Here is the full list of osquery flags you need for communication with Fleet:
c
I set it to tls,filesystem, but I still get NO logs ..which is weird.
k
Copy code
# Server
--tls_hostname= # Your server
--tls_server_certs=fleet.pem
# Enrollment
--host_identifier=instance
--enroll_secret_path=secret.txt
--enroll_tls_endpoint=/api/osquery/enroll
# Configuration
--config_plugin=tls
--config_tls_endpoint=/api/v1/osquery/config
--config_refresh=10
# Live query
--disable_distributed=false
--distributed_plugin=tls
--distributed_interval=10
--distributed_tls_max_attempts=3
--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read
--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write
# Logging
--logger_plugin=tls,filesystem
--logger_tls_endpoint=/api/v1/osquery/log
--logger_tls_period=10
# File carving
--disable_carver=false
--carver_start_endpoint=/api/v1/osquery/carve/begin
--carver_continue_endpoint=/api/v1/osquery/carve/block
--carver_block_size=8000000
c
That is what I have, but logs are not working where I can see them locally anymore
k
Are you seeing no results logs, no status logs, or both?
c
I'm tailing the /var/log/osquery/* and before those changes, I was seeing stuff, but after.. I get nothing in any file
k
Can you double-check what you have configured for 
--logger_path
?
c
so far, this is the only way i can get logs...but the logs I get are the invalid JSON stuff.
Copy code
--enroll=secret_path=/etc/osquery/fleet_secret
--tls_hostname=server:8090
--osqueryd_path=/usr/bin/osqueryd
--tls_server_certs=/etc/osquery/fleet_roots.pem
--update_channel=stable
#--config_tls_endpoint=/api/osquery/config
#--enroll_tls_endpoint=/enroll
--logger_plugin=filesystem
k
And do you have Agent Options configured in Fleet that might be overriding the 
logger
settings?
c
I don't have 
--logger_path
as the default is 
/var/log/osquery
where they were going before.
Where is the Agent Options you are talking about?
k
You can find that in the Fleet UI at Profile > Settings > Organization Settings > Agent Options.
c
Maybe this helps, but nothing was done with 
fleetctl
. I manually installed 
osquery
on my Gentoo Linux box and am using the configuration settings that are listed in the 
"add host" "advanced"
section to setup my 
osquery
.
From the Agent Options on the server I see this.
Copy code
config:
  options:
    logger_plugin: tls
    pack_delimiter: _
    logger_tls_period: 10
    distributed_plugin: tls
    disable_distributed: false
    logger_tls_endpoint: /api/v1/osquery/log
    distributed_interval: 10
    decorations_top_level: true
    distributed_tls_max_attempts: 3
    distributed_tls_read_endpoint: /api/v1/osquery/distributed/read
    distributed_tls_write_endpoint: /api/v1/osquery/distributed/write
    enable_windows_events_publisher: true
Would that be overriding it? If so, how do i get to the /api/v1/osquery/log to see why my host is still not registering/enrolling?
k
Yes, that would override the local setting after the agent successfully enrolled and fetched config. changing 
logger_plugin
there to 
tls,filesystem
as well will enable both tls and filesystem logging. Once your logs have been sent to Fleet, where you can find them depends on your setup for osquery logging destination in the Fleet configuration (linked above).
c
I'm in the nginx docker container that is accepting the requests and I see this now.
Copy code
[error] 69#69: *17402742 open() "/opt/socore/html/api/osquery/enroll" failed (2: No such file or directory)
For some weird reason, it is appending the 
/api/osquery/enroll
to 
/opt/socore/html
The `/api/osquery/enrol`l is what i have in my 
enroll_tls_endpoint
k
It sounds like you may not have your port mapped correctly to Fleet.
c
I'm digging.... been looking at the so-nginx and so-fleet containers.
Just curious, do you know if i can get source code for the 
fleetctl
and compile it? I know there is not packages out there for Gentoo, but was wondering if it might help if I could try compiling the 
fleetctl
command so I can use the 
fleetctl
tool and also have the config with 
launcher
as well...instead of manually installing 
osquery
?
based on what my nginx.conf is set to , it looks like its expecting a kolide path. I set my enrollment path to this 
/kolide.agent.Api/RequestEnrollment
now, and I dont get an error at the nginx now, but get this error now. 
"POST /kolide.agent.Api/RequestEnrollment HTTP/1.1" 404 19
k
What version of Fleet are you running?
c
Not sure, I don't see it in the web UI. I can find out...but.... I was able to get things working. I had to git clone kolide laucher repo and run 
make deps
and then 
make
to create the 
launcher
bin. I then use that instead of trying to get 
osqueryd
on its own to work. Once i had 
launcher
and used the config settings that my server told me to and similar to my other servers are setup, then it worked! Now I have my Gentoo enrolled, however now I'm trying to figure out why the Software tab is not populated with my software. It shows the OS info, but not any software. I'm also able to run a manual query from the UI and it shows the software from that result, but it's just not putting it in the Software tab of that host.
k
You can check your version in Profile > My account
c
Fleet 4.31.1 • Go go1.20.1
k
You're definitely a bit behind there, 4.44.0 is the latest.
d
@CodeBleu FYI, you are using Security Onion 2.3, which went EOL yesterday.
11 Views
Open in Slack
PreviousNext
Powered by