https://github.com/osquery/osquery logo
Join Slack
Powered by
I have an endpoint trying to register to fleet and...
# fleet
v
I have an endpoint trying to register to fleet and it keeps disappearing. When I find it and click on it, then I click 
refetch
I can see the name keep changing every second to a different name. We found out to be a Windows 2016 server running Hyper-V and the names showing up are the VMs running in it. Is there anything I need to do to avoid this, or is this a bug?
k
It sounds like both the host and the VMs all have the agent installed, but the VMs don't have a distinct hardware UUID, which is the default identifier used by Fleet to identify a host.
Are you using plain osquery, or fleetd?
v
fleetd
k
For the VMs, installing a new fleetd .msi built with 
--host-identifier instance
specified should clear that right up.
v
awesome, thank you
Is it a bad idea to assign instance to all my hosts?
it is still behaving the same way
k
Is it a bad idea to assign instance to all my hosts?
I'd stick to VMs. For non-ephemeral hosts, you can end up with a host that isn't re-associated with the existing one if it needs to re-enroll later.
it is still behaving the same way
Can you walk me through what you did, step by step? The 
instance
identifier is tied to the indidual osquery database on the host, so you definitely shouldn't see this behavior... Maybe with the VMs if they're all spun up from a base image that has the agent installed, but not with the actual metal host.
v
oh yes, the hypervisors are reporting well, it is just a few VMs that are flickering around showing different names and IPs and etc. If I keep refreshing the host page for example every second, I get a different result for a few of them
I honestly, applied the configuration on the server that is why I asked if it was a bad idea LOL, so the server pushed the new flag value to all of my hosts. Should I revert it back to UUID, and then generate a new fleetd package with the flag value 
instance
?
I will have to check if these are coming from the same image
k
Yes, I'd revert back. There are two separate enrollments that have to happen, one for osquery and another for Orbit. Changing the osquery flag alone can lead to issues with duplicates, but changing the flag in the package does it for both.
p
Here's some background on why 
instance
was created in osquery originally: https://github.com/osquery/osquery/issues/2819#issuecomment-264519833 I ran into this when investigating how Fleet handles different installs on the same physical hardware. NOTE - I'd recommend investigating why Hyper-V is giving you the same UUID for every host. There should be a way to change that. It can cause havoc with other tools.
k
I believe that in @Phillip Boushy's case, the solution we found that worked when Hyper-V wasn't giving the unique UUID was to install fleetd on the base image, stop it, and delete the osquery database. That way, each new instance would have to create a new database, with a new unique identifier. And also make sure there isn't any automation overwriting those actions.
v
yeah, base images can cause a lot of problems. Thank you guys, generating a new fleetd agent with the flag value to 
instance
worked for the vm guests
Sorry, can you remind me of what the problem would be if I use all of my hosts with the 
--host-identifier instance
? VMs and not VMs
k
You may not see any negative effects, but if fleetd was reinstalled on a host or the osquery database had to be deleted (very rare), the host would re-enroll in Fleet as a new host rather than being associated with the existing entry in Fleet.
The 
instance
identifier is tied to the osquery database rather than the host.
v
And I think you said this needs to be implemented in the package as a flag, right? Or if I configure Fleet to use instance as default, it will apply to existing and future hosts?
k
Best practice is to do it at the host level using the flag.
6 Views
Open in Slack
PreviousNext
Powered by