Hi I m playing around with the distributed queries I got the osquery #general

Hi! I'm playing around with the distributed querie...

Gonzalo Saad

10/29/2020, 8:59 PM

Hi! I'm playing around with the distributed queries. I got the daemon to

read

(I saw that in the osqueryd logs) but I do not get the daemon to

write

or even show something like this:

Executing distributed query: kolide_detail_query_os_version: select * from os_version limit 1

I'm not using the fleet server, doing an experiment haha. I

disable_distributed=false

and the result of the

/distributed/read

is this one:

Copy code

{
  "queries": {
    "dad0f587-abf3-4278-8664-7bc6fa8a8b762": "select * from system_info"
  },
  "node_invalid": false
}

What could be misconfigured in the daemon to not write data?

zwass

10/29/2020, 9:00 PM

This looks like invalid json

Gonzalo Saad

10/29/2020, 9:03 PM

Sorry, I copied it wrong. There it is updated.

zwass

10/29/2020, 9:06 PM

That looks correct. You have

--verbose --tls_dump

on? Have you configured

--distributed_tls_write_endpoint

Gonzalo Saad

10/29/2020, 9:07 PM

I'm using

--verbose

, not using

tls_dump

and yes I've configured

distributed_tls_write_endpoint

zwass

10/29/2020, 9:08 PM

Using

tls_dump

will help you see exactly what osquery is reading and writing with the server.

Gonzalo Saad

10/29/2020, 9:09 PM

Cool. I'll troubleshoot with that flag.

👍 1

Gonzalo Saad

10/29/2020, 9:09 PM

Thanks!

Gonzalo Saad

10/29/2020, 9:17 PM

Perfect. This flag helped me identify the problem.

Gonzalo Saad

10/29/2020, 9:17 PM

Thank you very much sir 💪

zwass

10/29/2020, 9:18 PM

🍻

4 Views

Open in Slack

Previous Next