Hello!👋 I'm having some issues with file carving of files larger the the carve block size (i.e, multipart upload is required). I'm running Fleet v4.50.0 and a MinIO instance for S3 storage. Carving of small files succeeds, but big files doesn't. When I try to retrieve carves info with Fleet API (<url>/api/v1/fleet/carves), I can see the unsuccessful carves - the field "max_block" is always "-1". The field "error" sometimes is "null" (but I still don't get the carve) and sometimes says "block_id does not match expected block (0): 7" I don't understand what can I do from here, please help!🙏

Hello, Ortal. We always recommend updating Fleet to latest version. We are also recommending MySQL version 8.0.36 to pair with updated Fleet versions. In terms of file carving - Yes, larger files need to be carved up and sent to Fleet in pieces, however it is critical that the pieces are sent in order, so ensure that they are being sent in the correct order. Are you certain they are being in sent in the right order? Also, how big are the files being carved?

Hi Rebecca, My MySQL version is 8.0.33. I have no idea how to check if the blocks are sent in the right order, I can't find any logs about it in osquery agent/fleet. The file I'm trying to carve is 42KB

Oh, good! What was the issue?

The mistake was me writing 42KB instead of 42MB in the previous comment... I still haven't figured out how to solve the carve issue😫

What do you have set for your

carver_block_size

in osquery? Can you check your Load Balancer logs for any failed requests to the

osquery/carve/block

endpoint?

My Fleet instance is deployed in Kubernetes, and I can't see the logs from the Kubernetes service/load balancer. I have scaled down the deployment to only one pod, so it gets all the traffic, but the carve is still not uploaded. I set my

carver_block_size

to 6000000 - above 5MB, as advised in the documentation.

Are you able to check the logs of your pod by using the command

kubectl logs <podname>

? This command may be outdated. Here is a link to the

kubectl logs

docs page.

I scaled it down again to 1 pod, tried to carve the file, and got logs from the pod into a file. I tried to search for keywords like "carv", "block" or the host name/ip and found nothing. The problem could be in my OSQ agent? I got latest one yesterday (5.13.1)