https://github.com/osquery/osquery logo
Join Slack
Powered by
Hey folks, i think my yaml config issues have been...
# fleet
t
Hey folks, i think my yaml config issues have been resolved, thanks @Luke Heath. Now i'm getting the following error in the verbose output when running osqueryd
Copy code
I0115 07:56:12.120774  1844 ntfs_journal_events.cpp:323] Couldn't open C:\Users\teddoro\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat.LOG2 while building FRN set
I0115 07:56:12.120774  1844 ntfs_journal_events.cpp:323] Couldn't open C:\Users\teddoro\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat while building FRN set
I0115 07:56:12.136206  1844 ntfs_journal_events.cpp:323] Couldn't open C:\Users\teddoro\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG1 while building FRN set
I0115 07:56:12.136206  1844 ntfs_journal_events.cpp:323] Couldn't open C:\Users\teddoro\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG2 while building FRN set
I0115 07:56:12.167567  1844 ntfs_journal_events.cpp:323] Couldn't open C:\Users\teddoro\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\settings.dat while building FRN set
These paths seem to correspond to what we have for 
file_paths
in yaml config, which leads me to believe that my config is working. However, i'm wondering why osquery isn't able to open these files? I've installed using chocolatey, and verified that osquery is running with the proper permissions and as a service. FWIW, those error logs were observed after running:
Copy code
C:\Program Files\osquery\osqueryd\osqueryd.exe --flagfile=osquery.flags --verbose
ie, it was running from an admin shell, and not as a "service". That being said, when i run osquery in this manner i'm able to see the host i'm running it from in FleetDM and the host appears online. However, after a system reboot and when osquery is running as a service, the host does not appear online.
🙌 1
z
Your first question about the errors coming from the 
ntfs_journal_events
table might be better served in the #windows channel. For the host not coming online when run as a service... Is the service running that same command you just pasted? Perhaps it needs an absolute path to the flagfile? If you take the command line from the service and paste it in an admin powershell, does the host come online? Your best bet is to test the exact command line via powershell with absolute paths and then paste it over into the Service.
t
How do i check to see what command the service is running with?
z
Open the "Services" application, right click on the osquery service -> properties -> path to executable.
t
Ahh okay, then yes it is running with absolute paths.
z
If you copy that command and enter it in your admin powershell, does it work? Might need to add 
&
as a prefix
t
ah ha! so the issue was that when the service was invoking the command as it was written in the "path to executable" it couldn't find 
fleet.pem
because in the flags file only the relative path was given. I changed the flags file and now it seems to be one step past that issue, however now the new error reads:
Copy code
W0117 14:55:22.073629  4404 tls_enroll.cpp:101] Failed enrollment request to <https://fleetdm-ui.ouryahoo.com/api/v1/osquery/enroll> (No node key returned from TLS enroll plugin) retrying...
ahh, probably because in the flags file, the enroll secret also doesn't have an absolute path. Changing that...
okay and now we're up
z
🍾
t
thanks man! now to see about that ntfs journal events issue. still havent heard back from anyone in the windows channel, but im not sure if its still giving an error.
z
If you haven't heard from anyone, could be a good one to bring to #officehours (live meeting) tomorrow
t
oh neat, okay thanks
okay looks like its still an issue, so what time is that meeting?
z
13:00 ET
Look for the Meet link in that channel (it doesn't change week-to-week)
t
ahh okay cool
i also keep seeing an error in verbose logs, where rocksdb tries to set a lock on osquery.db, but its unable to because of another process. Though it looks like it is able to in the next log line.
Copy code
I0117 15:15:05.984179  3348 rocksdb.cpp:149] Rocksdb open failed (5:0) IO error: Failed to create lock file: \Program Files\osquery\osquery.db/LOCK: The process cannot access the file because it is being used by another process.
I0117 15:15:06.202491  3348 rocksdb.cpp:132] Opening RocksDB handle: \Program Files\osquery\osquery.db
I0117 15:15:06.202491  3348 rocksdb.cpp:67] RocksDB: [WARN] [db\db_impl\<http://db_impl_open.cc:1846|db_impl_open.cc:1846>] Persisting Option File error: OK
not sure if that is actually an issue or not
and then finally, the process eventually kills itself
Copy code
I0117 15:15:06.421223  3348 dispatcher.cpp:149] Thread: 3348 requesting a stop
I0117 15:15:06.421223  3348 dispatcher.cpp:156] Service: 00000218214A7950 has been interrupted
I0117 15:15:06.421223  3348 dispatcher.cpp:122] Thread: 3348 requesting a join
I0117 15:15:06.421223  3348 dispatcher.cpp:140] Service thread: 0000021821579A30 has joined
I0117 15:15:06.436787  3348 dispatcher.cpp:144] Services and threads have been cleared
E0117 15:15:06.797690  3856 shutdown.cpp:79] Worker returned exit status
I0117 15:15:06.797690  1824 dispatcher.cpp:149] Thread: 1824 requesting a stop
I0117 15:15:06.797690  1824 dispatcher.cpp:122] Thread: 1824 requesting a join
I0117 15:15:06.797690  1824 dispatcher.cpp:140] Service thread: 000001048D7CBAD0 has joined
I0117 15:15:06.812259  1824 dispatcher.cpp:144] Services and threads have been cleared
z
I have to go, but check that no other osquery processes are running (perhaps restart the system) and then try again.
t
alright man, take care
Hey Zach, you on right now?
just wondering if these two configs are somehow in conflict:
Copy code
--config_plugin=tls
--config_tls_endpoint=/api/v1/osquery/config
if i'm setting the config plugin to be 
tls
on a windows machine, and then defining my config tls endpoint to be 
/api/v1/osquery/config
is the latter config line applicable? I mean for one thing, that path looks like a linux path with those forward slashes....
z
That looks right. The former is saying "get the config from the TLS plugin". The latter is saying "the path to request on the TLS server (configured in 
tls_hostname
) is /api/v1/osquery/config."
t
ahh okay, so 
/api/v1/osquery/config
is a location on the server, where the client should expect to receive config from?
z
Yeah, osquery will do a 
POST <tls_hostname>/api/v1/osquery/config
with the node key in the body and the server will respond with the config.
You can turn on 
--verbose --tls_dump
if you want to be able to see the request/response bodies -- might be helpful for understanding.
💯 1
t
yes, i set 
--config_dump=true
in flags, and could see everything i defined in yaml config within fleetDM. So, with that being said, is it safe to assume that the client/server config exchange is working correctly?
just trying to narrow down the possibilities as to why my ntfs_journal_events table still isnt getting any events.
z
Yeah if you're seeing a JSON version of that YAML in osquery then client/server communication is definitely working.
t
ok
5 Views
Open in Slack
PreviousNext
Powered by