Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
k
Kyle Goode
09/04/2022, 12:17 AMHey guys may be pushing it here but trying to configure my Raspbian Debian 11 osquery 5.4 agent to my fleet this is arm64 with the arm64 deb of osquery set up. I have taken and adjusted the following flag file and know that I have my cert and secret setup correctly. Fleetctl fails with "/usr/lib/node_modules/fleetctl/install/v4.19.1/fleetctl: 1: /usr/lib/node_modules/fleetctl/install/v4.19.1/fleetctl: 1: _: not found
k: not found
/usr/lib/node_modules/fleetctl/install/v4.19.1/fleetctl: 1: @ ^@6: not found
/usr/lib/node_modules/fleetctl/install/v4.19.1/fleetctl: 1: ELF: not found
/usr/lib/node_modules/fleetctl/install/v4.19.1/fleetctl: 2: Syntax error: "(" unexpected" and when I try it manually with osqueryd --flagfile=flagfile.txt --verbose the closet I get is "Failed enrollment request to https://ip:8090/api/latest/osquery/enroll (Cannot parse JSON: Invalid value. Offset: 0) retrying...
I0903 19:04:38.469650 264500 smbios_tables.cpp:252] Could not read SMBIOS memory " Looking through old issues I see a suggestion to add--tls_dump to the output so I've attached that as well. Please let me know if you have any thoughts I have already checked networking and should not be having any firewall or blocking issues. Thanks.
l
Lucas Rodriguez
09/05/2022, 3:58 PMHi @Kyle Goode! Please try replacing the paths
/api/latest/osquery/...flagfile.txt/api/v1/osquery/...k
Kyle Goode
09/07/2022, 4:55 AMHello @Lucas Rodriguez thank you for taking a look. I have attempted your solution but am encountering the same results unfortunately.
l
Lucas Rodriguez
09/07/2022, 11:00 AM@Kyle Goode Have you restarted osquery after changing the
flagfile.txt<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx</center>
</body>
</html>
W0903 19:12:55.460351 269113 tls_enroll.cpp:101] Failed enrollment request to <https://ip:8090/api/latest/osquery/enroll> (Cannot parse JSON: Invalid value. Offset: 0) retrying...k
Kyle Goode
09/08/2022, 3:59 AM@Lucas Rodriguez yes I did this may be further complicated by the fact that my fleet server is part of security onion. I think I'll pop on their support and see if I can get any additional insight to see what I can do. I can get osqueryd to run with systemctl but its the same error if I try to launch it manually with the flagfile and it never connects to server even though it's whitelisted on the firewall.
Looks like they suggest getting the answer from you guys. https://github.com/Security-Onion-Solutions/securityonion/discussions/8679
l
Lucas Rodriguez
09/08/2022, 2:02 PMOK, can you attach the logs after the restart? to check if it's still failing with the same error when requesting to
<https://ip:8090/api/v1/osquery/enroll>k
Kyle Goode
09/15/2022, 2:02 AM@Lucas Rodriguez would you have any other recommendations?
l
Lucas Rodriguez
09/15/2022, 12:45 PMHi @Kyle Goode! Do you have access to the host? Could you try running the following command on such host?
curl -k -v -X POST <https://IP:8090/api/v1/osquery/enroll>k
Kathy Satterlee
09/15/2022, 9:30 PMIt looks like the structure for the enroll secret is a little off in the secret file (extrapolating from the object in verboserror.txt).
"secret":"1"<your secret>--verbose --tls_dump