Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
b
Boubacary Diallo
09/06/2022, 4:02 PMHello, how are you, I hope you are well!
I deployed a fleet of which I deployed osquery agents. Getting to a certain number of agents, often when a new host is deployed, it downgrades another one from the list. I get the following errors on the output to the osquery server:k
Kathy Satterlee
09/06/2022, 4:29 PMHi @Boubacary Diallo! That's certainly odd behavior. A few questions:
1. How many hosts do you have enrolled?
2. How are you deploying osquery?
3. What are you using as the host identifier? Could those be duplicated across hosts?
4. Once you reach a specific number of hosts, do all new hosts replace existing ones or only some? If only specific hosts, do those share anything in common that stands out?
5. Are there any errors in the Fleet server logs that coincide with the osquery errors?
b
Boubacary Diallo
09/06/2022, 5:09 PMHi thank you very much, I found the solution. By the way, we had to clone certain machines on hyper-V so they had the same uid, so fleet compares then downgrades one, saying it's the same machine. I solved this in the YAML configuratipo file, I chained host_identifier: hostname, instead of uid.
Thank you very much for your availability.k
Kathy Satterlee
09/06/2022, 5:18 PMThat's great! I thought it was likely to be something along these lines.
b
Boubacary Diallo
09/06/2022, 9:00 PMoui ca été ainsi. Merci infiniment