Title
#general
j

Jean M

04/20/2021, 5:37 PM
Hi, I’ve some decorators configured (remote tls config), however, scheduled queries are not sending all expected decorators, the config is:
spec:
  config:
    decorators:
      load:
        - SELECT uuid AS host_uuid FROM system_info
        - SELECT hardware_serial FROM system_info LIMIT 1
      always:
        - >-
          SELECT user AS username FROM logged_in_users WHERE user <> '' ORDER BY
          time DESC LIMIT 1
      interval:
        '3600':
          - SELECT hostname FROM system_info LIMIT 1
...
I’ve also restarted osqueryd, and tried to remove the DB before restarting, is there anything I can do to know which decorators it is considering or the cause of the issue? I may add that it is working for two other hosts and they are using the same configuration 🤔 It is only including the hostIdentifierin the scheduled query results (I guess it’s the default?) thanks!
s

seph

04/20/2021, 8:55 PM
I’d try testing them one at a time, and seeing if anything works or fails.
8:55 PM
I also can’t remember it the interval stuff needs to be a number or if the string form is okay. I remember it’s a bit weird
j

Jean M

04/22/2021, 5:02 PM
OK, after a couple hours debugging.. I noticed that the hosts working OK were just Linux, could not find anything suspicious in the logs, however I suspected that the remaining configuration which has OS specific ATC definitions could be broken.. removing all this section from the config it started working.
5:02 PM
It seems that if there’s some problem in the OS specific ATC tables (or in the config in general?) osquery will silently fail to load remote config : /
9:17 AM
After more debugging, it seems to be a bug in fleetdm and not a problem in osquery (https://github.com/fleetdm/fleet/issues/677).
s

seph

04/23/2021, 1:16 PM
Glad you found it