Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
n
n0b00de
04/25/2022, 9:19 PMHi Team š I have a windows host with a running fleet package thats not showing up in the fleet UI. What can I check to troubleshoot?
l
Lucas Rodriguez
04/25/2022, 9:49 PMHi @n0b00de, you can check
C:\Windows\system32\config\systemprofile\AppData\Local\FleetDM\Orbit\Logs\orbit-osquery.logn
n0b00de
04/26/2022, 3:15 PM@Lucas Rodriguez Iām seeing these errors in my logs any idea what could be the cause?
###############################################################################################################################################
I0426 01:53:00.343926 7488 interface.cpp:137] Registering extension (com.fleetdm.orbit.osquery_extension.v1, 23695, version=, sdk=)
I0426 01:53:00.367911 7488 registry_factory.cpp:107] Extension 23695 registered table plugin file_lines
I0426 01:53:00.367911 7488 registry_factory.cpp:107] Extension 23695 registered table plugin google_chrome_profiles
I0426 01:53:00.367911 7488 registry_factory.cpp:107] Extension 23695 registered table plugin orbit_info
I0426 01:53:00.367911 7488 registry_factory.cpp:107] Extension 23695 registered table plugin puppet_info
I0426 01:53:00.367911 7488 registry_factory.cpp:107] Extension 23695 registered table plugin puppet_logs
I0426 01:53:00.367911 7488 registry_factory.cpp:107] Extension 23695 registered table plugin puppet_state
I0426 01:53:00.984251 7800 tls.cpp:255] TLS/HTTPS POST request to URI: https://<fleet-IP>:46784/api/v1/osquery/config
W0426 01:53:00.984251 7800 tls.cpp:101] Cannot read TLS server certificate(s): fleet.pem
I0426 01:53:05.013139 7800 tls.cpp:255] TLS/HTTPS POST request to URI: https://<fleet-IP>:46784/api/v1/osquery/config
W0426 01:53:05.013562 7800 tls.cpp:101] Cannot read TLS server certificate(s): fleet.pem
I0426 01:53:05.024225 7800 config.cpp:486] Using accelerated configuration delay
W0426 01:53:05.024225 7800 init.cpp:616] Error reading config: Request error: certificate verify failed
I0426 01:53:05.025849 7800 dispatcher.cpp:78] Adding new service: TLSLogForwarder (000001C982795A30) to thread: 6748 (000001C9831FBD40) in process 2284
I0426 01:53:05.026261 7800 system.cpp:308] Using host identifier: 07cbb4d5-ddcf-498b-8250-7ee001bc4629
I0426 01:53:05.027334 7800 eventfactory.cpp:156] Event publisher not enabled: ntfs_event_publisher: NTFS event publisher disabled via configuration
I0426 01:53:05.036332 7800 events.cpp:70] Skipping subscriber: powershell_events: Required publisher is disabled by configuration
I0426 01:53:05.036332 7800 events.cpp:70] Skipping subscriber: windows_events: Required publisher is disabled by configuration
I0426 01:53:05.036906 7800 dispatcher.cpp:78] Adding new service: DistributedRunner (000001C982746DB0) to thread: 8280 (000001C9831DDEC0) in process 2284
I0426 01:53:05.036906 7800 dispatcher.cpp:78] Adding new service: SchedulerRunner (000001C983251950) to thread: 8544 (000001C9831DD940) in process 2284
I0426 01:53:05.036906 572 eventfactory.cpp:390] Starting event publisher run loop: WindowsEventLogPublisher
I0426 01:53:05.037477 572 eventfactory.cpp:410] Event publisher WindowsEventLogPublisher run loop terminated for reason: Publisher disabled by configuration
I0426 01:53:05.037477 8280 tls.cpp:255] TLS/HTTPS POST request to URI: https://<fleet-IP>:46784/api/v1/osquery/distributed/read
W0426 01:53:05.038636 8280 tls.cpp:101] Cannot read TLS server certificate(s): fleet.pem
I0426 01:53:05.591302 6748 tls.cpp:255] TLS/HTTPS POST request to URI: https://<fleet-IP>:46784/api/v1/osquery/log
W0426 01:53:05.606740 6748 tls.cpp:101] Cannot read TLS server certificate(s): fleet.pem
I0426 01:53:05.622413 6748 buffered.cpp:90] Error sending status to logger: Request error: certificate verify failed
I0426 01:53:06.056996 8280 tls.cpp:255] TLS/HTTPS POST request to URI: https://<fleet-IP>:46784/api/v1/osquery/distributed/read
W0426 01:53:06.057389 8280 tls.cpp:101] Cannot read TLS server certificate(s): fleet.pem
###############################################################################################################################################
W0604 13:34:39.227860 6762 tls_enroll.cpp:66] Failed enrollment request to <https://IP:8080/api/v1/osquery/enroll> (Cannot parse JSON: The document root must not be followed by other values. Offset: 4) retrying...
W0604 13:34:40.280134 6762 tls_enroll.cpp:66] Failed enrollment request to <https://IP:8080/api/v1/osquery/enroll> (Cannot parse JSON: The document root must not be followed by other values. Offset: 4) retrying...
W0604 13:34:44.349366 6762 init.cpp:667] Error reading config: Missing config plugin tls
W0604 13:34:44.383548 6762 tls_enroll.cpp:66] Failed enrollment request to <https://IP:8080/api/v1/osquery/enroll> (Cannot parse JSON: The document root must not be followed by other values. Offset: 4) retrying...
W0604 13:34:45.423676 6762 tls_enroll.cpp:66] Failed enrollment request to <https://IP:8080/api/v1/osquery/enroll> (Cannot parse JSON: The document root must not be followed by other values. Offset: 4) retrying...
E0604 13:34:49.489332 6762 init.cpp:574] Cannot activate tls logger plugin: No node key, TLS logging disabled.
###############################################################################################################################################l
Lucas Rodriguez
04/26/2022, 3:16 PMHi @n0b00de we are working on a fix that will be released hopefully today, see #5367.
Once we release it should auto-update and auto-resolve.
n
n0b00de
04/26/2022, 3:32 PMshould the fix allow me to add the host to fleet?
l
Lucas Rodriguez
04/26/2022, 3:32 PMYes. Once the fix is pushed, the host will be able to enroll to fleet.
ā¤ļø 1
n
n0b00de
04/26/2022, 3:38 PMSo I guess tuf.fleetctl pushes updates automagically to our local fleet instance?
@zhong
l
Lucas Rodriguez
04/26/2022, 3:39 PMWe will push the update to tuf.fleetctl.com and the orbit instances will update automatically.
šÆ 1
n
n0b00de
04/26/2022, 3:41 PMI should be able to put the version in this flag and it should revert for the endpoints right?
l
Lucas Rodriguez
04/26/2022, 3:51 PMNot sure. We don't currently support changing the channel flags post-installation. We are unsure how that would work.
z
zwass
04/26/2022, 3:55 PMIf you change that to
0.0.8š° 1
š 1
n
n0b00de
04/26/2022, 3:57 PMIt worked using the above flag. I used it with the fleetctl package command
z
zwass
04/26/2022, 3:58 PMJust note that packages generated with that flag won't get updates because they'll be "pinned" to 0.0.8.
n
n0b00de
04/26/2022, 3:59 PMCorrect, we want to be a version behind. The latest change to v.9 prevented us from adding hosts to the ui