https://github.com/osquery/osquery logo
Powered by
#fleet
Title
b

Boubacary Diallo

09/06/2022, 4:02 PM
Copy code
Hello, how are you, I hope you are well!
I deployed a fleet of which I deployed osquery agents. Getting to a certain number of agents, often when a new host is deployed, it downgrades another one from the list. I get the following errors on the output to the osquery server:
1/osquery/distributed/read","ts":"2022-09-05T152012.164277378Z"} Sep 5 152015 osquery fleet[69161]: {"component":"http","err":"authentication error: invalid node key: /uLuK4hiUVdU3hZVXS5dcivDzQFpwfAX","level":"info","path":"/api/v1/osquery/config","ts":"2022-09-05T152015.9287988Z"}
k

Kathy Satterlee

09/06/2022, 4:29 PM
Hi @Boubacary Diallo! That's certainly odd behavior. A few questions: 1. How many hosts do you have enrolled? 2. How are you deploying osquery? 3. What are you using as the host identifier? Could those be duplicated across hosts? 4. Once you reach a specific number of hosts, do all new hosts replace existing ones or only some? If only specific hosts, do those share anything in common that stands out? 5. Are there any errors in the Fleet server logs that coincide with the osquery errors?
b

Boubacary Diallo

09/06/2022, 5:09 PM
Copy code
Hi thank you very much, I found the solution. By the way, we had to clone certain machines on hyper-V so they had the same uid, so fleet compares then downgrades one, saying it's the same machine. I solved this in the YAML configuratipo file, I chained host_identifier: hostname, instead of uid.
Thank you very much for your availability.
k

Kathy Satterlee

09/06/2022, 5:18 PM
That's great! I thought it was likely to be something along these lines.
b

Boubacary Diallo

09/06/2022, 9:00 PM
oui ca été ainsi. Merci infiniment
7 Views
Powered by