https://github.com/osquery/osquery logo
Powered by
Title
o

Ojas

10/06/2022, 5:30 AM
i keep getting this log in my osquery-status-archive file: {“hostIdentifier”:“******,“calendarTime”:“Tue Oct 4 20:53:05 2022 UTC”,“unixTime”:“1664916785",“severity”:“1",“filename”:“options.cpp”,“line”:“106",“message”:“The CLI only flag --carver_continue_endpoint set via config file will be ignored, please use a flagfile or pass it to the process at startup”,“version”:“5.5.1",“decorations”:{“host_uuid”:“*--51C8--*“,”hostname”:“ti*****.local”}} how do i fix it or stop it from writing?
j

Juan Fernandez

10/06/2022, 11:03 AM
How are you setting the 
--carver_continue_endpoint
flag? That flag is meant to be set in the flagfile for connecting osquery agents to Fleet.
o

Ojas

10/06/2022, 11:06 AM
it is by default to carver_continue_endpoint: /api/v1/osquery/carve/block
should i remove it or set it to something else?
j

Juan Fernandez

10/06/2022, 12:01 PM
🤔 - unless I'm missing something the issue seems to be that the 
--carver_continue_endpoint
setting is being set in the wrong place https://fleetdm.com/docs/using-fleet/fleetctl-cli#configuration
o

Ojas

10/06/2022, 12:09 PM
i still dont get it what the path should be in it.
j

Juan Fernandez

10/06/2022, 12:10 PM
Sorry about that, it should be set to 
/api/v1/osquery/carve/block
but via the flagfile
o

Ojas

10/06/2022, 12:11 PM
but i am not having any flag file, i create agents by fleetctl and then deploy them to hosts directly. All i can configure is global agent options
j

Juan Fernandez

10/06/2022, 12:13 PM
Ah gotcha, sorry about the mix-up
o

Ojas

10/06/2022, 7:42 PM
@Juan Fernandez so how can i fix it ? like any config in global agent which will fix it?
j

Juan Fernandez

10/06/2022, 7:54 PM
Do you mind posting your 'global' agent options? (By going to 
Settings
-> 
Agent options
?
o

Ojas

10/07/2022, 5:11 AM
@Juan Fernandez this is the config: config: options: aws_region: ** logger_plugin: firehose logger_stderr: false disable_carver: false pack_delimiter: / aws_access_key_id: * carver_block_size: 2097152 logger_min_status: 2 logger_min_stderr: 2 logger_tls_period: 10 aws_kinesis_stream: * distributed_plugin: tls aws_firehose_stream: * disable_distributed: false distributed_interval: 10 aws_secret_access_key: * carver_start_endpoint: /api/v1/osquery/carve/begin carver_disable_function: false carver_continue_endpoint: /api/v1/osquery/carve/block osquery_status_log_plugin: firehose distributed_tls_max_attempts: 3 firehose: region: * result_stream: * status_stream: * aws_access_key_id: ****** aws_firehose_stream: * aws_secret_access_key: ******** decorators: load: - SELECT uuid AS host_uuid FROM system_info; - SELECT hostname AS hostname FROM system_info; overrides: {}
j

Juan Fernandez

10/07/2022, 11:17 AM
Thanks @Ojas - so there's your problem both the 
--carver_start_endpoint
and 
--carver_continue_endpoint
flags are meant to be set via either the flagfile or as inline options when launching osquery - you will need to remove those two options from your global config. By default, the installer generated via the 'Add New Host' dialog include the following options (see here for more details): 
--disable_carver=false
--carver_disable_function=false
--carver_start_endpoint=/api/v1/osquery/carve/begin
--carver_continue_endpoint=/api/v1/osquery/carve/block
--carver_block_size=2097152
So if you just remove those two options you should be all set.
o

Ojas

10/07/2022, 11:38 AM
cool thanks 🙂
#fleetJoin Slack
Powered by