https://github.com/osquery/osquery logo
#fleet
Title
# fleet
r

ryan

08/03/2022, 1:37 PM
Testing out Fleet Desktop and it has been stuck on initialing for the past 24 hours. I've restarted, am running MacOS 12.5 and have Fleet 4.18 installed that I generated an install package from.
k

Kathy Satterlee

08/03/2022, 2:09 PM
Hi @Ryan ! Are you seeing any errors in the Fleet server logs? And is the host showing as enrolled in Fleet?
r

Ryan

08/03/2022, 2:12 PM
Different ryan 😄
oh wow it seems Slack has case-sensitive handles 😄
k

Kathy Satterlee

08/03/2022, 2:26 PM
Sorry about that!
r

ryan

08/03/2022, 3:18 PM
Host is showing as active and checking in. This is what I have for entries in my fleet-error.log
Copy code
{
  "component": "http",
  "err": "stream error: stream ID 1; INTERNAL_ERROR",
  "level": "info",
  "path": "/api/v1/osquery/distributed/write",
  "ts": "2022-05-23T19:58:24.163637593Z"
}
Copy code
{
  "component": "http",
  "err": "authentication error: find host: timestamp: 2022-05-23T19:58:25Z: context canceled",
  "level": "info",
  "path": "/api/v1/osquery/distributed/write",
  "ts": "2022-05-23T19:58:25.893806126Z"
}
Copy code
{
  "component": "http",
  "err": "timestamp: 2022-05-23T19:57:19Z: error in query ingestion || timestamp: 2022-05-23T19:57:19Z: error in query ingestion || timestamp: 2022-05-23T19:57:19Z: error in query ingestion || timestamp: 2022-05-23T19:57:19Z: error in query ingestion || timestamp: 2022-05-23T19:57:19Z: error in query ingestion || timestamp: 2022-05-23T19:57:19Z: error in query ingestion || timestamp: 2022-05-23T19:57:19Z: error in query ingestion || timestamp: 2022-05-23T19:57:19Z: error in query ingestion || timestamp: 2022-05-23T19:57:19Z: error in query ingestion || timestamp: 2022-05-23T19:57:19Z: error in query ingestion || timestamp: 2022-05-23T19:57:19Z: error in query ingestion || getting app config: selecting app config: timestamp: 2022-05-23T19:57:19Z: context canceled",
  "ingestion-err": "ingest detail query: selecting app config: timestamp: 2022-05-23T19:57:19Z: context canceled",
  "ip_addr": "x.x.x.x",
  "level": "error",
  "method": "POST",
  "took": "32.13412499s",
  "ts": "2022-05-23T19:57:19.197367632Z",
  "uri": "/api/v1/osquery/distributed/write",
  "x_for_ip_addr": "x.x.x.x"
}
Also hi @Ryan 👋🤣
k

Kathy Satterlee

08/03/2022, 3:23 PM
Thanks! Anything interesting in the Orbit logs on the host?
/private/var/log/orbit/orbit.std{out|err}.log
.
And was the host previously enrolled?
r

ryan

08/03/2022, 3:26 PM
yes it was with plain osquery but I deleted it before installing the orbit package
A couple items in the err log but host shows it's checked in 15 min ago.
Copy code
2022-08-02T13:51:52-05:00 INF Failed to connect to Fleet server. Osquery connection may fail. error="dial for validate: dial tcp: address <http://fleet.host.com|fleet.host.com>: missing port in address"
Copy code
2022-08-02T13:51:52-05:00 INF start osqueryd cmd="/opt/orbit/bin/osqueryd/macos-app/stable/osquery.app/Contents/MacOS/osqueryd --pidfile=/opt/orbit/osquery.pid --database_path=/opt/orbit/osquery.db --extensions_socket=/opt/orbit/orbit-osquery.em --logger_path=/opt/orbit/osquery_log --enroll_secret_env ENROLL_SECRET --host_identifier=uuid --tls_hostname=<http://fleet.host.com|fleet.host.com> --enroll_tls_endpoint=/api/v1/osquery/enroll --config_plugin=tls --config_tls_endpoint=/api/v1/osquery/config --config_refresh=60 --disable_distributed=false --distributed_plugin=tls --distributed_tls_max_attempts=10 --distributed_tls_read_endpoint=/api/v1/osquery/distributed/read --distributed_tls_write_endpoint=/api/v1/osquery/distributed/write --logger_plugin=tls,filesystem --logger_tls_endpoint=/api/v1/osquery/log --disable_carver=false --carver_disable_function=false --carver_start_endpoint=/api/v1/osquery/carve/begin --carver_continue_endpoint=/api/v1/osquery/carve/block --carver_block_size=2000000 --tls_server_certs /opt/orbit/fleet.pem --force --flagfile /opt/orbit/osquery.flags"
2022-08-02T13:51:52-05:00 INF opening path="/opt/orbit/bin/desktop/macos/stable/Fleet <http://Desktop.app|Desktop.app>"
k

Kathy Satterlee

08/03/2022, 3:40 PM
Just for the sake of going about it scientifically, can you cleanup the install and see if the host still reports back? I'm wondering if osquery might not be fully removed and is still reporting.
z

zwass

08/03/2022, 4:18 PM
Check the logs in
tail ~/Library/Logs/Fleet/fleet-desktop.log
as well (@Kathy Satterlee can you please add this to the docs somewhere?)
r

ryan

08/03/2022, 4:25 PM
Copy code
022-08-03T11:19:01-05:00 ERR get device URL error="GET /api/latest/fleet/device/a0b95733-69d7-4267-8bf2-95bf9b846a6b/policies: Get \"<https://fleetdm.host.com/api/latest/fleet/device/a0b95733-69d7-4267-8bf2-95bf9b846a6b/policies>\": x509: certificate relies on legacy Common Name field, use SANs instead"
k

Kathy Satterlee

08/03/2022, 4:42 PM
It looks like the certificate you're using is incompatible with the current version of go. You'll need a certificate with a Subject Alternate Name to use with Fleet. Here's some more detailed information: https://jfrog.com/knowledge-base/general-what-should-i-do-if-i-get-an-x509-certificate-relies-on-legacy-common-name-field-error/
2 Views