Hey guys may be pushing it here but trying to conf...
# fleetk
Kyle Goode
09/04/2022, 12:17 AMHey guys may be pushing it here but trying to configure my Raspbian Debian 11 osquery 5.4 agent to my fleet this is arm64 with the arm64 deb of osquery set up. I have taken and adjusted the following flag file and know that I have my cert and secret setup correctly. Fleetctl fails with "/usr/lib/node_modules/fleetctl/install/v4.19.1/fleetctl: 1: /usr/lib/node_modules/fleetctl/install/v4.19.1/fleetctl: 1: _: not found
k: not found
/usr/lib/node_modules/fleetctl/install/v4.19.1/fleetctl: 1: @ ^@6: not found
/usr/lib/node_modules/fleetctl/install/v4.19.1/fleetctl: 1: ELF: not found
/usr/lib/node_modules/fleetctl/install/v4.19.1/fleetctl: 2: Syntax error: "(" unexpected" and when I try it manually with osqueryd --flagfile=flagfile.txt --verbose the closet I get is "Failed enrollment request to https://ip:8090/api/latest/osquery/enroll (Cannot parse JSON: Invalid value. Offset: 0) retrying...
I0903 190438.469650 264500 smbios_tables.cpp:252] Could not read SMBIOS memory " Looking through old issues I see a suggestion to add--tls_dump to the output so I've attached that as well. Please let me know if you have any thoughts I have already checked networking and should not be having any firewall or blocking issues. Thanks.
l
Lucas Rodriguez
09/05/2022, 3:58 PMHi @Kyle Goode! Please try replacing the paths
/api/latest/osquery/...flagfile.txt/api/v1/osquery/...k
Kyle Goode
09/07/2022, 4:55 AMHello @Lucas Rodriguez thank you for taking a look. I have attempted your solution but am encountering the same results unfortunately.
l
Lucas Rodriguez
09/07/2022, 11:00 AM@Kyle Goode Have you restarted osquery after changing the
flagfile.txt Copy code
<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx</center>
</body>
</html>
W0903 19:12:55.460351 269113 tls_enroll.cpp:101] Failed enrollment request to <https://ip:8090/api/latest/osquery/enroll> (Cannot parse JSON: Invalid value. Offset: 0) retrying...k
Kyle Goode
09/08/2022, 3:59 AM@Lucas Rodriguez yes I did this may be further complicated by the fact that my fleet server is part of security onion. I think I'll pop on their support and see if I can get any additional insight to see what I can do. I can get osqueryd to run with systemctl but its the same error if I try to launch it manually with the flagfile and it never connects to server even though it's whitelisted on the firewall.
Kyle Goode
09/08/2022, 4:27 AMLooks like they suggest getting the answer from you guys. https://github.com/Security-Onion-Solutions/securityonion/discussions/8679
l
Lucas Rodriguez
09/08/2022, 2:02 PMOK, can you attach the logs after the restart? to check if it's still failing with the same error when requesting to
Copy code
<https://ip:8090/api/v1/osquery/enroll>k
Kyle Goode
09/15/2022, 2:02 AM@Lucas Rodriguez would you have any other recommendations?
l
Lucas Rodriguez
09/15/2022, 12:45 PMHi @Kyle Goode! Do you have access to the host? Could you try running the following command on such host?
Copy code
curl -k -v -X POST <https://IP:8090/api/v1/osquery/enroll>k
Kathy Satterlee
09/15/2022, 9:30 PMIt looks like the structure for the enroll secret is a little off in the secret file (extrapolating from the object in verboserror.txt).
Copy code
"secret":"1" Copy code
<your secret>--verbose --tls_dump25 Views