i keep getting this log in my osquery status archive file ho osquery #fleet

i keep getting this log in my osquery-status-archi...

Ojas

10/06/2022, 5:30 AM

i keep getting this log in my osquery-status-archive file: {“hostIdentifier”:“******,“calendarTime”:“Tue Oct 4 205305 2022 UTC”,“unixTime”:“1664916785",“severity”:“1",“filename”“options.cpp”,“line”“106",“message”:“The CLI only flag --carver_continue_endpoint set via config file will be ignored, please use a flagfile or pass it to the process at startup”,“version”:“5.5.1",“decorations”{“host uuid”“*--51C8--*“,”hostname”:“ti*****.local”}} how do i fix it or stop it from writing?

Juan Fernandez

10/06/2022, 11:03 AM

How are you setting the

--carver_continue_endpoint

flag? That flag is meant to be set in the flagfile for connecting osquery agents to Fleet.

Ojas

10/06/2022, 11:06 AM

it is by default to carver_continue_endpoint: /api/v1/osquery/carve/block

Ojas

10/06/2022, 11:08 AM

should i remove it or set it to something else?

Juan Fernandez

10/06/2022, 12:01 PM

🤔 - unless I'm missing something the issue seems to be that the

--carver_continue_endpoint

setting is being set in the wrong place https://fleetdm.com/docs/using-fleet/fleetctl-cli#configuration

Ojas

10/06/2022, 12:09 PM

i still dont get it what the path should be in it.

Juan Fernandez

10/06/2022, 12:10 PM

Sorry about that, it should be set to

/api/v1/osquery/carve/block

but via the flagfile

Ojas

10/06/2022, 12:11 PM

but i am not having any flag file, i create agents by fleetctl and then deploy them to hosts directly. All i can configure is global agent options

Juan Fernandez

10/06/2022, 12:13 PM

Ah gotcha, sorry about the mix-up

Ojas

10/06/2022, 7:42 PM

@Juan Fernandez so how can i fix it ? like any config in global agent which will fix it?

Juan Fernandez

10/06/2022, 7:54 PM

Do you mind posting your 'global' agent options? (By going to

Settings

Agent options

Ojas

10/07/2022, 5:11 AM

@Juan Fernandez this is the config: config: options: aws_region: ** logger_plugin: firehose logger_stderr: false disable_carver: false pack_delimiter: / aws_access_key_id: * carver_block_size: 2097152 logger_min_status: 2 logger_min_stderr: 2 logger_tls_period: 10 aws_kinesis_stream: * distributed_plugin: tls aws_firehose_stream: * disable_distributed: false distributed_interval: 10 aws_secret_access_key: * carver_start_endpoint: /api/v1/osquery/carve/begin carver_disable_function: false carver_continue_endpoint: /api/v1/osquery/carve/block osquery_status_log_plugin: firehose distributed_tls_max_attempts: 3 firehose: region: * result_stream: * status_stream: * aws_access_key_id: ****** aws_firehose_stream: * aws_secret_access_key: ******** decorators: load: - SELECT uuid AS host_uuid FROM system_info; - SELECT hostname AS hostname FROM system_info; overrides: {}

Juan Fernandez

10/07/2022, 11:17 AM

Thanks @Ojas - so there's your problem both the

--carver_start_endpoint

and

--carver_continue_endpoint

flags are meant to be set via either the flagfile or as inline options when launching osquery - you will need to remove those two options from your global config. By default, the installer generated via the 'Add New Host' dialog include the following options (see here for more details):

Copy code

--disable_carver=false
--carver_disable_function=false
--carver_start_endpoint=/api/v1/osquery/carve/begin
--carver_continue_endpoint=/api/v1/osquery/carve/block
--carver_block_size=2097152

So if you just remove those two options you should be all set.

Ojas

10/07/2022, 11:38 AM

cool thanks 🙂

Open in Slack

Previous Next