I'm having a problem with fleet when I run a simpl...
# fleett
Tarek Talaat
08/01/2022, 6:29 PMI'm having a problem with fleet when I run a simple query, sometimes it keeps spinning forever until I kill "osqueryd" on my macOS host and then it will receive the results back to fleet web ui. I've checked the error log on my macOS host, and found nothing interesting there.
Tarek Talaat
08/01/2022, 6:29 PManyone can help ?
k
Kathy Satterlee
08/01/2022, 6:45 PMThat's definitely an odd one, @Tarek Talaat! A few questions:
• Which logs are you checking on the host?
• When the results come through to Fleet, do they include the response from that host?
• What query are you running?
• Have you checked the Fleet logs to see if there's anything of interest there as well?
t
Tarek Talaat
08/01/2022, 7:39 PM• I'm checking /var/log/orbit/orbit.stderr.log
/var/log/orbit/orbit.stdout.log is empty
• The results come back from the host when I kill the queryd daemon (when it hangs).
• I'm running
"select pid, parent, cmdline from process_events
where cmdline like "cat%""
I haven't checked fleet logs yet, but I will soon.
Tarek Talaat
08/01/2022, 7:52 PMjust checked fleet logs, fleetdm.log, and status.log. Nothing there at all.
k
Kathy Satterlee
08/01/2022, 8:08 PMAnything interesting in your browser's Javascript console or network requests?
t
Tarek Talaat
08/01/2022, 8:08 PMthe network requests just hangs because the page keeps spinning.
Tarek Talaat
08/01/2022, 8:09 PMI mean the network requests sends the request, and just waits until I kill the osqueryd process
Tarek Talaat
08/01/2022, 8:09 PMcertain queries don't work even if I kill the process, like the example I posted above.
k
Kathy Satterlee
08/01/2022, 8:18 PMSorry, I could have been a little more clear there. Can you check the console and network request tabs in your browser's developer tools to see if there are any errors or additional information there?
To open your browser's Javascript console, press Control Shift J (Windows, Linux, ChromeOS) or Command Option J (macOS).
To open your browser's network requests, press Control Shift J (Windows, Linux, ChromeOS) or Command Option J (macOS). Then select the "Network" tab.
Kathy Satterlee
08/01/2022, 8:19 PMYou'll need to open the Network tab before running the live query to capture the request there.
Kathy Satterlee
08/01/2022, 8:20 PMI'm mostly interested to see if there are any errors about websockets in the Javascript console or if the network request times out.
t
Tarek Talaat
08/01/2022, 8:20 PMOk, will check that and get back to you soon
k
Kathy Satterlee
08/01/2022, 8:21 PMThanks! Hopefully we'll get to a useful error that we can use as a launching point.
t
Tarek Talaat
08/01/2022, 8:23 PMthis is what it looks like at the time of query
Tarek Talaat
08/01/2022, 8:23 PMI opened the three of them together. Looks like console is clear, network tab is waiting on request I guess. I'll dig into it more and see what I can find
Tarek Talaat
08/01/2022, 8:24 PMthis is what I got after I posted the above. Not sure if it's related.
k
Kathy Satterlee
08/04/2022, 7:23 PMSorry, @Tarek Talaat. This got a little buried! It looks like there might be something off with websockets. Are you using a proxy server?
t
Tarek Talaat
08/08/2022, 3:15 PMI pinpointed the problem, it was from cloudflare blocking the response of the query.
Tarek Talaat
08/08/2022, 3:15 PMThanks anyway
k
Kathy Satterlee
08/08/2022, 3:18 PMI'm glad you got that sorted! Thanks so much for letting me know. Something to keep an eye out for.
t
Tarek Talaat
08/08/2022, 3:19 PMYup, for sure. It was very tricky to find out because the response is swallowed by cloudflare.
142 Views