https://github.com/osquery/osquery logo
#general
Title
# general
p

Piyush Anand

04/19/2022, 10:10 AM
Can anyone help me with how can I connect Fleetdm to plain osquery
k

koo

04/19/2022, 10:30 AM
p

Piyush Anand

04/25/2022, 6:47 AM
@koo Actually I read this article earlier also and not able do the required conf. Can you help me with the same ?
k

koo

04/25/2022, 7:20 AM
Have you been able to set an e*nrolment secret?*
p

Piyush Anand

04/25/2022, 7:22 AM
I am on the initial stage
I want to connect a windows machine via plain osquery
Heyy u there ?
k

koo

04/27/2022, 2:09 PM
@Piyush Anand where you able to figure this out?
p

Piyush Anand

04/28/2022, 5:25 AM
Yes i was able to set an enrolment secret
but after that how can i use osquerdyd to communicate with fleet server
k

koo

05/02/2022, 9:58 AM
Hi @Piyush Anand I think you might need to look at the osquery TLS API plugins for a more apt explanation on how to do this. You can find the documentation here. https://osquery.readthedocs.io/en/stable/deployment/remote/ However from a single glance at the Fleet docs, I think you might need to start
osqueryd
with some of the following flags
Copy code
sudo osqueryd \
 --enroll_secret_path=/etc/osquery/enroll_secret \
 --tls_server_certs=/etc/osquery/fleet.crt \
 --tls_hostname=<http://fleet.example.com|fleet.example.com> \
 --host_identifier=uuid \
 --enroll_tls_endpoint=/api/osquery/enroll \
 --config_plugin=tls \
 --config_tls_endpoint=/api/osquery/config \
 --config_refresh=10 \
 --disable_distributed=false \
 --distributed_plugin=tls \
 --distributed_interval=10 \
 --distributed_tls_max_attempts=3 \
 --distributed_tls_read_endpoint=/api/osquery/distributed/read \
 --distributed_tls_write_endpoint=/api/osquery/distributed/write \
 --logger_plugin=tls \
 --logger_tls_endpoint=/api/osquery/log \
 --logger_tls_period=10
p

Piyush Anand

05/04/2022, 6:47 AM
Hii,
I started the osqueryd with the above options you have sent and did the necessary changes b ut still facing issue
facing this issue on the fleetdm ui
When i click on add host--> advanced --> Plain osquery
k

koo

05/04/2022, 9:27 PM
Sorry about that. Is this resolved for you at this time
?
p

Piyush Anand

05/05/2022, 11:26 AM
No. The issue is not resolved yet
m

Michal Nicpon

05/06/2022, 3:50 PM
What version of fleet are you running? Head to the "My account" page in the Fleet UI or run
fleetctl --version
. What did you do when you received the 500 page? Did you try downloading the enroll secret, fleet certificate, or flagfile? Also, do you have access to the logs from fleet?
p

Piyush Anand

05/06/2022, 3:57 PM
I have access to the logs but i am not able to download the fleet certificate
m

Michal Nicpon

05/06/2022, 3:59 PM
When you try to download the fleet certificate, do the logs show any errors? This would help me track down the issue
p

Piyush Anand

05/10/2022, 7:06 AM
Hello Michal,
Where i can find these logs ?
Actually i am new to fleet
m

Michal Nicpon

05/10/2022, 3:20 PM
It depends on how you are running fleet. By default fleet will log to stderr. Are you using
fleetctl preview
?
p

Piyush Anand

05/10/2022, 3:24 PM
Yes fleetctl preview
m

Michal Nicpon

05/10/2022, 3:31 PM
There may be a better way, but you can view the logs using docker
Copy code
docker logs fleet-preview-server-fleet02-1
p

Piyush Anand

05/10/2022, 3:42 PM
Let me check and find out the respective logs and send you
I appreciate your help
m

Michal Nicpon

05/10/2022, 3:44 PM
Actually, according to https://github.com/fleetdm/fleet/issues/4304#issuecomment-1047028029, this is expected behaviour. fleetctl preview does not use https/tls, and therefore does not have a certificate
p

Piyush Anand

05/10/2022, 3:45 PM
But when i open the gui on the browser i use https
👀 1
And without the fleet certificate how can i connect a host machine using plain osquery
m

Michal Nicpon

05/10/2022, 3:48 PM
can you please confirm what version you are running, using
fleetctl --version
?
Actually, let me follow up with the team. I am not sure if this is really supported in fleetctl preview
p

Piyush Anand

05/10/2022, 4:02 PM
Version is 4.12.0
Go version : go1.17.8
m

Michal Nicpon

05/10/2022, 4:10 PM
Can you try going to https://localhost:8412 and download the certificate? preview starts up a 2nd fleet server with tls enabled that is used primarily by osqueryd
p

Piyush Anand

05/10/2022, 4:13 PM
Wait let me check
In the replacement of localhost the ip of my server on which i have deployed fleet right ?
m

Michal Nicpon

05/10/2022, 6:59 PM
fleetctl preview is currently meant for trying out fleet. But yes, you should be able to replace localhost with the ip address of the server running fleetctl preview
9 Views