Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
r
ryan
08/03/2022, 1:37 PMTesting out Fleet Desktop and it has been stuck on initialing for the past 24 hours. I've restarted, am running MacOS 12.5 and have Fleet 4.18 installed that I generated an install package from.
k
Kathy Satterlee
08/03/2022, 2:09 PMHi @Ryan ! Are you seeing any errors in the Fleet server logs? And is the host showing as enrolled in Fleet?
r
Ryan
08/03/2022, 2:12 PMDifferent ryan 😄
oh wow it seems Slack has case-sensitive handles 😄
k
Kathy Satterlee
08/03/2022, 2:26 PMSorry about that!
r
ryan
08/03/2022, 3:18 PMHost is showing as active and checking in.
This is what I have for entries in my fleet-error.log
{
"component": "http",
"err": "stream error: stream ID 1; INTERNAL_ERROR",
"level": "info",
"path": "/api/v1/osquery/distributed/write",
"ts": "2022-05-23T19:58:24.163637593Z"
}{
"component": "http",
"err": "authentication error: find host: timestamp: 2022-05-23T19:58:25Z: context canceled",
"level": "info",
"path": "/api/v1/osquery/distributed/write",
"ts": "2022-05-23T19:58:25.893806126Z"
}{
"component": "http",
"err": "timestamp: 2022-05-23T19:57:19Z: error in query ingestion || timestamp: 2022-05-23T19:57:19Z: error in query ingestion || timestamp: 2022-05-23T19:57:19Z: error in query ingestion || timestamp: 2022-05-23T19:57:19Z: error in query ingestion || timestamp: 2022-05-23T19:57:19Z: error in query ingestion || timestamp: 2022-05-23T19:57:19Z: error in query ingestion || timestamp: 2022-05-23T19:57:19Z: error in query ingestion || timestamp: 2022-05-23T19:57:19Z: error in query ingestion || timestamp: 2022-05-23T19:57:19Z: error in query ingestion || timestamp: 2022-05-23T19:57:19Z: error in query ingestion || timestamp: 2022-05-23T19:57:19Z: error in query ingestion || getting app config: selecting app config: timestamp: 2022-05-23T19:57:19Z: context canceled",
"ingestion-err": "ingest detail query: selecting app config: timestamp: 2022-05-23T19:57:19Z: context canceled",
"ip_addr": "x.x.x.x",
"level": "error",
"method": "POST",
"took": "32.13412499s",
"ts": "2022-05-23T19:57:19.197367632Z",
"uri": "/api/v1/osquery/distributed/write",
"x_for_ip_addr": "x.x.x.x"
}Also hi @Ryan 👋🤣
k
Kathy Satterlee
08/03/2022, 3:23 PMThanks! Anything interesting in the Orbit logs on the host?
/private/var/log/orbit/orbit.std{out|err}.logAnd was the host previously enrolled?
r
ryan
08/03/2022, 3:26 PMyes it was with plain osquery but I deleted it before installing the orbit package
A couple items in the err log but host shows it's checked in 15 min ago.
2022-08-02T13:51:52-05:00 INF Failed to connect to Fleet server. Osquery connection may fail. error="dial for validate: dial tcp: address <http://fleet.host.com|fleet.host.com>: missing port in address"2022-08-02T13:51:52-05:00 INF start osqueryd cmd="/opt/orbit/bin/osqueryd/macos-app/stable/osquery.app/Contents/MacOS/osqueryd --pidfile=/opt/orbit/osquery.pid --database_path=/opt/orbit/osquery.db --extensions_socket=/opt/orbit/orbit-osquery.em --logger_path=/opt/orbit/osquery_log --enroll_secret_env ENROLL_SECRET --host_identifier=uuid --tls_hostname=<http://fleet.host.com|fleet.host.com> --enroll_tls_endpoint=/api/v1/osquery/enroll --config_plugin=tls --config_tls_endpoint=/api/v1/osquery/config --config_refresh=60 --disable_distributed=false --distributed_plugin=tls --distributed_tls_max_attempts=10 --distributed_tls_read_endpoint=/api/v1/osquery/distributed/read --distributed_tls_write_endpoint=/api/v1/osquery/distributed/write --logger_plugin=tls,filesystem --logger_tls_endpoint=/api/v1/osquery/log --disable_carver=false --carver_disable_function=false --carver_start_endpoint=/api/v1/osquery/carve/begin --carver_continue_endpoint=/api/v1/osquery/carve/block --carver_block_size=2000000 --tls_server_certs /opt/orbit/fleet.pem --force --flagfile /opt/orbit/osquery.flags"
2022-08-02T13:51:52-05:00 INF opening path="/opt/orbit/bin/desktop/macos/stable/Fleet <http://Desktop.app|Desktop.app>"k
Kathy Satterlee
08/03/2022, 3:40 PMJust for the sake of going about it scientifically, can you cleanup the install and see if the host still reports back? I'm wondering if osquery might not be fully removed and is still reporting.
z
zwass
08/03/2022, 4:18 PMCheck the logs in
tail ~/Library/Logs/Fleet/fleet-desktop.logr
ryan
08/03/2022, 4:25 PM022-08-03T11:19:01-05:00 ERR get device URL error="GET /api/latest/fleet/device/a0b95733-69d7-4267-8bf2-95bf9b846a6b/policies: Get \"<https://fleetdm.host.com/api/latest/fleet/device/a0b95733-69d7-4267-8bf2-95bf9b846a6b/policies>\": x509: certificate relies on legacy Common Name field, use SANs instead"k
Kathy Satterlee
08/03/2022, 4:42 PMIt looks like the certificate you're using is incompatible with the current version of go. You'll need a certificate with a Subject Alternate Name to use with Fleet. Here's some more detailed information:
https://jfrog.com/knowledge-base/general-what-should-i-do-if-i-get-an-x509-certificate-relies-on-legacy-common-name-field-error/