https://github.com/osquery/osquery logo
Join Slack
Powered by
o
I have 600+ windows hosts and all are offline
l
Hi Ojas, could you check if any of your Windows hosts can connect to tuf.fleetctl.com? (
ping <http://tuf.fleetctl.com|tuf.fleetctl.com>
and maybe 
curl <https://tuf.fleetctl.com>
)
Also, if you have access to any of such hosts, please run: 
C:\Program Files\Orbit\bin\orbit.exe --version
o
i am able to ping and version is orbit 0.0.9
l
How about the curl or wget command? Asking this due to the 
lookup <http://tuf.fleetctl.com|tuf.fleetctl.com>: no such host
logs.
o
curl https://tuf.fleetctl.om does give me result
@Lucas Rodriguez seems like it got screwed up after new updates maybe?
l
Mhm... something to check: any AV or firewall configuration that could be preventing Orbit to connect to 
<http://tuf.fleetctl.com|tuf.fleetctl.com>
?
o
but then how i am able to curl and ping to it?
l
Not sure, but maybe something is preventing the Orbit process itself to making such connection or making the DNS request? (the error seems to suggest Orbit cannot even resolve DNS for tuf.fleetctl.com)
o
how can i debug it?
l
You could try running Orbit manually in 
cmd
and see if it provides more logs/information there.
To do so, you can do the following:
Click start, open "Services" as administrator, right click 
fleet-osquery
and select 
Properties
. And you will be able to copy/paste the command+arguments used to start Orbit.
o
this is what i get
message-4.txt
l
Error reading config: Cannot parse JSON: The document root must not be followed by other values. Offset: 4
Did you change the agents options in Fleet recently?
o
config: options: logger_plugin: filesystem filesystem: enable_log_rotation: true
i added filesystem: enable_log_rotation: true
l
Mhm... is that the 
agent options
or the 
fleet config
? By agent options I mean "Global agent options" from the settings:
o
l
If it's the global agent options, then:
Copy code
filesystem:
    enable_log_rotation: true
is not valid, as it's a fleet config, not an osquery config.
Removing that should fix the issue.
o
where do i put the osquery flasgs then. I though it goes in global agent options only
l
filesystem.enable_log_rotation
that configures log rotation for fleet logs, not osquery logs.
By fleet logs I mean Fleet log files.
Such config should be added via 
fleetctl
, it doesn't affect agents, it affects fleet log files.
o
oh alright
i have removed the config but still nothing.
l
OK, let me check, osquery agents may be trying to use the old config...
By executing Orbit manually in 
cmd
as before do you still get the same error?
Any reason to not use some of the default values (other than 
logger_plugin
) for 
Global agent settings
configuration that comes with fleet?
Copy code
config:
  options:
    logger_plugin: tls
    pack_delimiter: /
    logger_tls_period: 10
    distributed_plugin: tls
    disable_distributed: false
    logger_tls_endpoint: /api/osquery/log
    distributed_interval: 10
    distributed_tls_max_attempts: 3
  decorators:
    load:
      - SELECT uuid AS host_uuid FROM system_info;
      - SELECT hostname AS hostname FROM system_info;
overrides: {}
o
It was working well without all these, so i removed them. Didnt have any issues till now.
also yes i am getting the same error on executing orbit manually
l
OK, so currently you have the following agent config?
Copy code
config:
  options:
    logger_plugin: filesystem
o
nope i changed to the default one and set logger plugin to filesystem
config: options: pack_delimiter: / logger_tls_period: 10 distributed_plugin: tls disable_distributed: false logger_tls_endpoint: /api/osquery/log distributed_interval: 10 distributed_tls_max_attempts: 3 decorators: load: - SELECT uuid AS host_uuid FROM system_info; - SELECT hostname AS hostname FROM system_info; overrides: {}
l
OK, and you still get the 
Error reading config: Cannot parse JSON: The document root must not be followed by other values. Offset: 4
when running Orbit manually in 
cmd
?
o
yep yep
any fix for it? Also how do i stop auto update in future?
l
Mhm... that's odd, I'll check with the team, but the issue doesn't seem related to the Orbit upgrade.
Also, Orbit now has a 
--disable-updates
option (can be set in Orbit manually or you can define it when generating the packages (MSI, PKG, DEB, RPM) with 
fleetctl package
).
d
hi, I got the exactly same problem
W0426 024701.457355 247643 init.cpp:616] Error reading config: Cannot parse JSON: The document root must not be followed by other values. Offset: 4 is this caused by orbit automatic upgrade?
according last date, it seems this was working fine until April 22nd
o
@Lucas Rodriguez Is there an option in which we can revet to the older version where things were stable for us?
l
Hi folks, I'll check with the team and get back to you.
🙌 1
OK, I was able to reproduce the issue. We will be working on a fix today and release an auto-update as soon as we can. Issue: #5367.
👍 1
o
Amazing 🔥 Thanks Lucas
7 Views
Open in Slack
PreviousNext
Powered by