Title
#fleet
n

n0b00de

04/25/2022, 9:19 PM
Hi Team šŸŒŠ I have a windows host with a running fleet package thats not showing up in the fleet UI. What can I check to troubleshoot?
Lucas Rodriguez

Lucas Rodriguez

04/25/2022, 9:49 PM
Hi @n0b00de, you can check
C:\Windows\system32\config\systemprofile\AppData\Local\FleetDM\Orbit\Logs\orbit-osquery.log
(from https://github.com/fleetdm/fleet/blob/main/orbit/README.md#logs)
n

n0b00de

04/26/2022, 3:15 PM
@Lucas Rodriguez Iā€™m seeing these errors in my logs any idea what could be the cause?
###############################################################################################################################################
I0426 01:53:00.343926  7488 interface.cpp:137] Registering extension (com.fleetdm.orbit.osquery_extension.v1, 23695, version=, sdk=)
I0426 01:53:00.367911  7488 registry_factory.cpp:107] Extension 23695 registered table plugin file_lines
I0426 01:53:00.367911  7488 registry_factory.cpp:107] Extension 23695 registered table plugin google_chrome_profiles
I0426 01:53:00.367911  7488 registry_factory.cpp:107] Extension 23695 registered table plugin orbit_info
I0426 01:53:00.367911  7488 registry_factory.cpp:107] Extension 23695 registered table plugin puppet_info
I0426 01:53:00.367911  7488 registry_factory.cpp:107] Extension 23695 registered table plugin puppet_logs
I0426 01:53:00.367911  7488 registry_factory.cpp:107] Extension 23695 registered table plugin puppet_state
I0426 01:53:00.984251  7800 tls.cpp:255] TLS/HTTPS POST request to URI: https://<fleet-IP>:46784/api/v1/osquery/config
W0426 01:53:00.984251  7800 tls.cpp:101] Cannot read TLS server certificate(s): fleet.pem
I0426 01:53:05.013139  7800 tls.cpp:255] TLS/HTTPS POST request to URI: https://<fleet-IP>:46784/api/v1/osquery/config
W0426 01:53:05.013562  7800 tls.cpp:101] Cannot read TLS server certificate(s): fleet.pem
I0426 01:53:05.024225  7800 config.cpp:486] Using accelerated configuration delay
W0426 01:53:05.024225  7800 init.cpp:616] Error reading config: Request error: certificate verify failed
I0426 01:53:05.025849  7800 dispatcher.cpp:78] Adding new service: TLSLogForwarder (000001C982795A30) to thread: 6748 (000001C9831FBD40) in process 2284
I0426 01:53:05.026261  7800 system.cpp:308] Using host identifier: 07cbb4d5-ddcf-498b-8250-7ee001bc4629
I0426 01:53:05.027334  7800 eventfactory.cpp:156] Event publisher not enabled: ntfs_event_publisher: NTFS event publisher disabled via configuration
I0426 01:53:05.036332  7800 events.cpp:70] Skipping subscriber: powershell_events: Required publisher is disabled by configuration
I0426 01:53:05.036332  7800 events.cpp:70] Skipping subscriber: windows_events: Required publisher is disabled by configuration
I0426 01:53:05.036906  7800 dispatcher.cpp:78] Adding new service: DistributedRunner (000001C982746DB0) to thread: 8280 (000001C9831DDEC0) in process 2284
I0426 01:53:05.036906  7800 dispatcher.cpp:78] Adding new service: SchedulerRunner (000001C983251950) to thread: 8544 (000001C9831DD940) in process 2284
I0426 01:53:05.036906   572 eventfactory.cpp:390] Starting event publisher run loop: WindowsEventLogPublisher
I0426 01:53:05.037477   572 eventfactory.cpp:410] Event publisher WindowsEventLogPublisher run loop terminated for reason: Publisher disabled by configuration
I0426 01:53:05.037477  8280 tls.cpp:255] TLS/HTTPS POST request to URI: https://<fleet-IP>:46784/api/v1/osquery/distributed/read
W0426 01:53:05.038636  8280 tls.cpp:101] Cannot read TLS server certificate(s): fleet.pem
I0426 01:53:05.591302  6748 tls.cpp:255] TLS/HTTPS POST request to URI: https://<fleet-IP>:46784/api/v1/osquery/log
W0426 01:53:05.606740  6748 tls.cpp:101] Cannot read TLS server certificate(s): fleet.pem
I0426 01:53:05.622413  6748 buffered.cpp:90] Error sending status to logger: Request error: certificate verify failed
I0426 01:53:06.056996  8280 tls.cpp:255] TLS/HTTPS POST request to URI: https://<fleet-IP>:46784/api/v1/osquery/distributed/read
W0426 01:53:06.057389  8280 tls.cpp:101] Cannot read TLS server certificate(s): fleet.pem
###############################################################################################################################################

W0604 13:34:39.227860  6762 tls_enroll.cpp:66] Failed enrollment request to <https://IP:8080/api/v1/osquery/enroll>  (Cannot parse JSON: The document root must not be followed by other values. Offset: 4) retrying...
W0604 13:34:40.280134  6762 tls_enroll.cpp:66] Failed enrollment request to <https://IP:8080/api/v1/osquery/enroll>  (Cannot parse JSON: The document root must not be followed by other values. Offset: 4) retrying...
W0604 13:34:44.349366  6762 init.cpp:667] Error reading config: Missing config plugin tls  
W0604 13:34:44.383548  6762 tls_enroll.cpp:66] Failed enrollment request to <https://IP:8080/api/v1/osquery/enroll>  (Cannot parse JSON: The document root must not be followed by other values. Offset: 4) retrying...
W0604 13:34:45.423676  6762 tls_enroll.cpp:66] Failed enrollment request to <https://IP:8080/api/v1/osquery/enroll>  (Cannot parse JSON: The document root must not be followed by other values. Offset: 4) retrying...
E0604 13:34:49.489332  6762 init.cpp:574] Cannot activate tls logger plugin: No node key, TLS logging disabled.

###############################################################################################################################################
Lucas Rodriguez

Lucas Rodriguez

04/26/2022, 3:16 PM
Hi @n0b00de we are working on a fix that will be released hopefully today, see #5367.
3:16 PM
Once we release it should auto-update and auto-resolve.
n

n0b00de

04/26/2022, 3:32 PM
should the fix allow me to add the host to fleet?
Lucas Rodriguez

Lucas Rodriguez

04/26/2022, 3:32 PM
Yes. Once the fix is pushed, the host will be able to enroll to fleet.
n

n0b00de

04/26/2022, 3:38 PM
So I guess tuf.fleetctl pushes updates automagically to our local fleet instance?
3:38 PM
@zhong
Lucas Rodriguez

Lucas Rodriguez

04/26/2022, 3:39 PM
We will push the update to tuf.fleetctl.com and the orbit instances will update automatically.
n

n0b00de

04/26/2022, 3:41 PM
I should be able to put the version in this flag and it should revert for the endpoints right?
Lucas Rodriguez

Lucas Rodriguez

04/26/2022, 3:51 PM
Not sure. We don't currently support changing the channel flags post-installation. We are unsure how that would work.
zwass

zwass

04/26/2022, 3:55 PM
If you change that to
0.0.8
you should get the prior version again.
n

n0b00de

04/26/2022, 3:57 PM
It worked using the above flag. I used it with the fleetctl package command
zwass

zwass

04/26/2022, 3:58 PM
Just note that packages generated with that flag won't get updates because they'll be "pinned" to 0.0.8.
n

n0b00de

04/26/2022, 3:59 PM
Correct, we want to be a version behind. The latest change to v.9 prevented us from adding hosts to the ui