https://github.com/osquery/osquery logo
Powered by
#general
Title
# general
g

Gonzalo Saad

10/29/2020, 8:59 PM
Hi! I'm playing around with the distributed queries. I got the daemon to 
read
(I saw that in the osqueryd logs) but I do not get the daemon to 
write
or even show something like this: 
Executing distributed query: kolide_detail_query_os_version: select * from os_version limit 1
I'm not using the fleet server, doing an experiment haha. I 
disable_distributed=false
and the result of the 
/distributed/read
is this one:
Copy code
{
  "queries": {
    "dad0f587-abf3-4278-8664-7bc6fa8a8b762": "select * from system_info"
  },
  "node_invalid": false
}
What could be misconfigured in the daemon to not write data?
z

zwass

10/29/2020, 9:00 PM
This looks like invalid json
g

Gonzalo Saad

10/29/2020, 9:03 PM
Sorry, I copied it wrong. There it is updated.
z

zwass

10/29/2020, 9:06 PM
That looks correct. You have 
--verbose --tls_dump
on? Have you configured 
--distributed_tls_write_endpoint
?
g

Gonzalo Saad

10/29/2020, 9:07 PM
I'm using 
--verbose
, not using 
tls_dump
and yes I've configured 
distributed_tls_write_endpoint
.
z

zwass

10/29/2020, 9:08 PM
Using 
tls_dump
will help you see exactly what osquery is reading and writing with the server.
g

Gonzalo Saad

10/29/2020, 9:09 PM
Cool. I'll troubleshoot with that flag.
👍 1
Thanks!
Perfect. This flag helped me identify the problem.
Thank you very much sir 💪
z

zwass

10/29/2020, 9:18 PM
🍻
4 Views
Powered by