Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
t
Tarek Talaat
08/01/2022, 6:29 PMI'm having a problem with fleet when I run a simple query, sometimes it keeps spinning forever until I kill "osqueryd" on my macOS host and then it will receive the results back to fleet web ui. I've checked the error log on my macOS host, and found nothing interesting there.
anyone can help ?
k
Kathy Satterlee
08/01/2022, 6:45 PMThat's definitely an odd one, @Tarek Talaat! A few questions:
• Which logs are you checking on the host?
• When the results come through to Fleet, do they include the response from that host?
• What query are you running?
• Have you checked the Fleet logs to see if there's anything of interest there as well?
t
Tarek Talaat
08/01/2022, 7:39 PM• I'm checking /var/log/orbit/orbit.stderr.log
/var/log/orbit/orbit.stdout.log is empty
• The results come back from the host when I kill the queryd daemon (when it hangs).
• I'm running
"select pid, parent, cmdline from process_events
where cmdline like "cat%""
I haven't checked fleet logs yet, but I will soon.
just checked fleet logs, fleetdm.log, and status.log. Nothing there at all.
k
Kathy Satterlee
08/01/2022, 8:08 PMAnything interesting in your browser's Javascript console or network requests?
t
Tarek Talaat
08/01/2022, 8:08 PMthe network requests just hangs because the page keeps spinning.
I mean the network requests sends the request, and just waits until I kill the osqueryd process
certain queries don't work even if I kill the process, like the example I posted above.
k
Kathy Satterlee
08/01/2022, 8:18 PMSorry, I could have been a little more clear there. Can you check the console and network request tabs in your browser's developer tools to see if there are any errors or additional information there?
To open your browser's Javascript console, press Control Shift J (Windows, Linux, ChromeOS) or Command Option J (macOS).
To open your browser's network requests, press Control Shift J (Windows, Linux, ChromeOS) or Command Option J (macOS). Then select the "Network" tab.
You'll need to open the Network tab before running the live query to capture the request there.
I'm mostly interested to see if there are any errors about websockets in the Javascript console or if the network request times out.
t
Tarek Talaat
08/01/2022, 8:20 PMOk, will check that and get back to you soon
k
Kathy Satterlee
08/01/2022, 8:21 PMThanks! Hopefully we'll get to a useful error that we can use as a launching point.
t
Tarek Talaat
08/01/2022, 8:23 PMthis is what it looks like at the time of query
I opened the three of them together. Looks like console is clear, network tab is waiting on request I guess. I'll dig into it more and see what I can find
this is what I got after I posted the above. Not sure if it's related.
k
Kathy Satterlee
08/04/2022, 7:23 PMSorry, @Tarek Talaat. This got a little buried! It looks like there might be something off with websockets. Are you using a proxy server?
t
Tarek Talaat
08/08/2022, 3:15 PMI pinpointed the problem, it was from cloudflare blocking the response of the query.
Thanks anyway
k
Kathy Satterlee
08/08/2022, 3:18 PMI'm glad you got that sorted! Thanks so much for letting me know. Something to keep an eye out for.
t
Tarek Talaat
08/08/2022, 3:19 PMYup, for sure. It was very tricky to find out because the response is swallowed by cloudflare.