Hello! I am running Fleet on my Security Onion Version 2.3.40, I have a requirement of getting 3 OSQuery agents (2 on my Windows 10 VM's) and trying to get one working on my (Windows Server 2022 VM). The 2 running on my Windows 10 VM's are working and I can see them in my Fleet manager and are version 5.11.0. I have followed the exact same steps for installing on my Windows Server 2022 VM but I cannot get the OSQuery agent to show up in the fleet manager. I need to keep security onion version 2.3.40 and I cannot upgrade the security onion VM to 2.4.x. Any help on this is appreciated.

Hi @Collin! Since this isn't a standalone Fleet instance, you'd get the best help through Security Onion's community support: https://github.com/Security-Onion-Solutions/securityonion/discussions

As a side note, Security Onion 2.3 is end of life and we strongly suggest moving to 2.4.

I am building out an exam and I unfortunately need to use SO 2.3.40 because its the same version that is in the training labs.. I am confused why I got 2 of the OSQuery agents running but I can't get the other.

Unfortunately we dont offer any further support on 2.3. The underlying OS itself is EOL end of June as well.

@Collin Beder, Have you checked the osquery logs on the host that isn't checking in with Fleet?

@Kathy Satterlee Yes I've looked through the logs, and I ran a Wireshark pcap to get the handshake between the devices. I saved the certificate as well and added it into mmc in the certified root certificate authority. When I try to navigate to the URL: "https://192.168.17.2:8090/api/v1/osquery/enroll" it just brings me to a 404 not found from nginx; if I go to "https://192.168.17.2/fleet" then it takes me to the web configurator. The Security onion firewall when running "so-allow" I have already added the Windows Server 2022 as an "Osquery endpoint".

@Collin Beder To be clear, you are more than welcome to post to our community support forums: https://securityonion.net/discuss and someone in the community may be able to help you.

@Collin Beder I see that there's a TLS error. I'd definitely recommend posting in the forums linked above, but the most common issue with TLS is using a self-signed certificate and not providing osquery with the full certificate chain.