https://github.com/osquery/osquery logo
Join Slack
Powered by
Hello! I'm trying to figure out why a PXE-booted ...
# fleet
c
Hello! I'm trying to figure out why a PXE-booted host (CentOS Linux 7.9.2009) is showing offline in Fleet (4.55.1. osqueryd version 5.11.0), despite the following that I've tried: 1. confirmed osquery running on the host 2. Confirmed host can hit fleet server on 443 3. Confirmed I can cat system identifier as the user osquery is running as (
cat /sys/class/dmi/id/product_uuid
) 4. Confirmed no errors evident in 
journalctl | grep osquery
5. No errors seen when running osquery manually with --verbose flag (
osqueryd --verbose --flagfile=/etc/osquery/flagfile.txt
) 6. Disabled 
features.enable_host_users
and 
features.enable_software_inventory.
Is there anything else I can try?
Just upgraded servers to the latest (4.57.2), but experiencing the same issue.
And upgraded to the latest osquery agent (5.13.1)
When I run osqueryi as root, it seems to appear online:
Copy code
osqueryi --verbose --tls_dump --flagfile=/etc/osquery/flagfile.txt
If I run osqueryd with the same CLI arguments, it starts up and appears to successfully send and retrieve data from Fleet's TLS endpoints, but the host doesn't appear online in Fleet.
This is weird. is the host_uuid cached? I ask because with tls_dump enabled, I see a host_uuid decoration that appears to come from the image, but I get a different value when I run 
Select uuid as host_uuid from system_info
in osqueryi . the osqueryi value also corresponds with what is on disk at 
/sys/class/dmi/id/product_uuid
, but the decoration sent to Fleet appears to be invalid
j
yes, a 
UUID
is stored in the osquery.db. Perhaps this node is using the same 
UUID
as another. You can fix it on the affected node by stopping osqueryd, then removing 
/var/osquery/osquery.db
, then starting osqueryd again. disclaimer: I'm not affiliated with Fleet.
c
Great timing, I just tried to wipe the osquery.db because I suspected it was included in the image
j
You can also verify by looking at the value in the DB.
Right, images used to instantiate other nodes should not have a 
/var/osquery/osquery.db
file.
c
Your approach is more gracious for sure! But you are correct, deleting that file and re-running osqueryd did the trick!
j
I see this a lot. 😅
c
Haha I'd bet. Thank you so much!
j
3 Views
Open in Slack
PreviousNext
Powered by