https://github.com/osquery/osquery logo
Powered by
#fleet
Title
t

Tarek Talaat

08/01/2022, 6:29 PM
I'm having a problem with fleet when I run a simple query, sometimes it keeps spinning forever until I kill "osqueryd" on my macOS host and then it will receive the results back to fleet web ui. I've checked the error log on my macOS host, and found nothing interesting there.
anyone can help ?
k

Kathy Satterlee

08/01/2022, 6:45 PM
That's definitely an odd one, @Tarek Talaat! A few questions: • Which logs are you checking on the host? • When the results come through to Fleet, do they include the response from that host? • What query are you running? • Have you checked the Fleet logs to see if there's anything of interest there as well?
t

Tarek Talaat

08/01/2022, 7:39 PM
• I'm checking /var/log/orbit/orbit.stderr.log /var/log/orbit/orbit.stdout.log is empty • The results come back from the host when I kill the queryd daemon (when it hangs). • I'm running "select pid, parent, cmdline from process_events where cmdline like "cat%"" I haven't checked fleet logs yet, but I will soon.
just checked fleet logs, fleetdm.log, and status.log. Nothing there at all.
k

Kathy Satterlee

08/01/2022, 8:08 PM
Anything interesting in your browser's Javascript console or network requests?
t

Tarek Talaat

08/01/2022, 8:08 PM
the network requests just hangs because the page keeps spinning.
I mean the network requests sends the request, and just waits until I kill the osqueryd process
certain queries don't work even if I kill the process, like the example I posted above.
k

Kathy Satterlee

08/01/2022, 8:18 PM
Sorry, I could have been a little more clear there. Can you check the console and network request tabs in your browser's developer tools to see if there are any errors or additional information there? To open your browser's Javascript console, press Control Shift J (Windows, Linux, ChromeOS) or Command Option J (macOS). To open your browser's network requests, press Control Shift J (Windows, Linux, ChromeOS) or Command Option J (macOS). Then select the "Network" tab.
You'll need to open the Network tab before running the live query to capture the request there.
I'm mostly interested to see if there are any errors about websockets in the Javascript console or if the network request times out.
t

Tarek Talaat

08/01/2022, 8:20 PM
Ok, will check that and get back to you soon
k

Kathy Satterlee

08/01/2022, 8:21 PM
Thanks! Hopefully we'll get to a useful error that we can use as a launching point.
t

Tarek Talaat

08/01/2022, 8:23 PM
this is what it looks like at the time of query
I opened the three of them together. Looks like console is clear, network tab is waiting on request I guess. I'll dig into it more and see what I can find
this is what I got after I posted the above. Not sure if it's related.
k

Kathy Satterlee

08/04/2022, 7:23 PM
Sorry, @Tarek Talaat. This got a little buried! It looks like there might be something off with websockets. Are you using a proxy server?
t

Tarek Talaat

08/08/2022, 3:15 PM
I pinpointed the problem, it was from cloudflare blocking the response of the query.
Thanks anyway
k

Kathy Satterlee

08/08/2022, 3:18 PM
I'm glad you got that sorted! Thanks so much for letting me know. Something to keep an eye out for.
t

Tarek Talaat

08/08/2022, 3:19 PM
Yup, for sure. It was very tricky to find out because the response is swallowed by cloudflare.
7 Views
Powered by