Channels
#fleet
Title
# fleet
r
ryan
08/03/2022, 1:37 PMTesting out Fleet Desktop and it has been stuck on initialing for the past 24 hours. I've restarted, am running MacOS 12.5 and have Fleet 4.18 installed that I generated an install package from.
k
Kathy Satterlee
08/03/2022, 2:09 PMHi @Ryan ! Are you seeing any errors in the Fleet server logs? And is the host showing as enrolled in Fleet?
r
Ryan
08/03/2022, 2:12 PMDifferent ryan 😄
oh wow it seems Slack has case-sensitive handles 😄
k
Kathy Satterlee
08/03/2022, 2:26 PMSorry about that!
r
ryan
08/03/2022, 3:18 PMHost is showing as active and checking in.
This is what I have for entries in my fleet-error.log
Copy code
{
"component": "http",
"err": "stream error: stream ID 1; INTERNAL_ERROR",
"level": "info",
"path": "/api/v1/osquery/distributed/write",
"ts": "2022-05-23T19:58:24.163637593Z"
} Copy code
{
"component": "http",
"err": "authentication error: find host: timestamp: 2022-05-23T19:58:25Z: context canceled",
"level": "info",
"path": "/api/v1/osquery/distributed/write",
"ts": "2022-05-23T19:58:25.893806126Z"
} Copy code
{
"component": "http",
"err": "timestamp: 2022-05-23T19:57:19Z: error in query ingestion || timestamp: 2022-05-23T19:57:19Z: error in query ingestion || timestamp: 2022-05-23T19:57:19Z: error in query ingestion || timestamp: 2022-05-23T19:57:19Z: error in query ingestion || timestamp: 2022-05-23T19:57:19Z: error in query ingestion || timestamp: 2022-05-23T19:57:19Z: error in query ingestion || timestamp: 2022-05-23T19:57:19Z: error in query ingestion || timestamp: 2022-05-23T19:57:19Z: error in query ingestion || timestamp: 2022-05-23T19:57:19Z: error in query ingestion || timestamp: 2022-05-23T19:57:19Z: error in query ingestion || timestamp: 2022-05-23T19:57:19Z: error in query ingestion || getting app config: selecting app config: timestamp: 2022-05-23T19:57:19Z: context canceled",
"ingestion-err": "ingest detail query: selecting app config: timestamp: 2022-05-23T19:57:19Z: context canceled",
"ip_addr": "x.x.x.x",
"level": "error",
"method": "POST",
"took": "32.13412499s",
"ts": "2022-05-23T19:57:19.197367632Z",
"uri": "/api/v1/osquery/distributed/write",
"x_for_ip_addr": "x.x.x.x"
}Also hi @Ryan 👋🤣
k
Kathy Satterlee
08/03/2022, 3:23 PMThanks! Anything interesting in the Orbit logs on the host?
/private/var/log/orbit/orbit.std{out|err}.logAnd was the host previously enrolled?
r
ryan
08/03/2022, 3:26 PMyes it was with plain osquery but I deleted it before installing the orbit package
A couple items in the err log but host shows it's checked in 15 min ago.
Copy code
2022-08-02T13:51:52-05:00 INF Failed to connect to Fleet server. Osquery connection may fail. error="dial for validate: dial tcp: address <http://fleet.host.com|fleet.host.com>: missing port in address" Copy code
2022-08-02T13:51:52-05:00 INF start osqueryd cmd="/opt/orbit/bin/osqueryd/macos-app/stable/osquery.app/Contents/MacOS/osqueryd --pidfile=/opt/orbit/osquery.pid --database_path=/opt/orbit/osquery.db --extensions_socket=/opt/orbit/orbit-osquery.em --logger_path=/opt/orbit/osquery_log --enroll_secret_env ENROLL_SECRET --host_identifier=uuid --tls_hostname=<http://fleet.host.com|fleet.host.com> --enroll_tls_endpoint=/api/v1/osquery/enroll --config_plugin=tls --config_tls_endpoint=/api/v1/osquery/config --config_refresh=60 --disable_distributed=false --distributed_plugin=tls --distributed_tls_max_attempts=10 --distributed_tls_read_endpoint=/api/v1/osquery/distributed/read --distributed_tls_write_endpoint=/api/v1/osquery/distributed/write --logger_plugin=tls,filesystem --logger_tls_endpoint=/api/v1/osquery/log --disable_carver=false --carver_disable_function=false --carver_start_endpoint=/api/v1/osquery/carve/begin --carver_continue_endpoint=/api/v1/osquery/carve/block --carver_block_size=2000000 --tls_server_certs /opt/orbit/fleet.pem --force --flagfile /opt/orbit/osquery.flags"
2022-08-02T13:51:52-05:00 INF opening path="/opt/orbit/bin/desktop/macos/stable/Fleet <http://Desktop.app|Desktop.app>"k
Kathy Satterlee
08/03/2022, 3:40 PMJust for the sake of going about it scientifically, can you cleanup the install and see if the host still reports back? I'm wondering if osquery might not be fully removed and is still reporting.
z
zwass
08/03/2022, 4:18 PM
Check the logs in
tail ~/Library/Logs/Fleet/fleet-desktop.logr
ryan
08/03/2022, 4:25 PM Copy code
022-08-03T11:19:01-05:00 ERR get device URL error="GET /api/latest/fleet/device/a0b95733-69d7-4267-8bf2-95bf9b846a6b/policies: Get \"<https://fleetdm.host.com/api/latest/fleet/device/a0b95733-69d7-4267-8bf2-95bf9b846a6b/policies>\": x509: certificate relies on legacy Common Name field, use SANs instead"k
Kathy Satterlee
08/03/2022, 4:42 PMIt looks like the certificate you're using is incompatible with the current version of go. You'll need a certificate with a Subject Alternate Name to use with Fleet. Here's some more detailed information:
https://jfrog.com/knowledge-base/general-what-should-i-do-if-i-get-an-x509-certificate-relies-on-legacy-common-name-field-error/
2 Views