Hello all I m working with some RHEL endpoints being hosted osquery #fleet

Hello all, I'm working with some RHEL endpoints be...

zhong

01/14/2022, 3:12 PM

Hello all, I'm working with some RHEL endpoints being hosted on AWS. I'm attempting to clone one of my endpoints and add the clones to fleet but when I do, fleet seems to confuse the original with the clones. I've changed the hostnames and made sure that they all have different IPs and serial number. When i add them to fleet, they do not show up as individual endpoints but when I try to Refetch the original endpoint i see its IP change and the hostname change. So it seems like fleet thinks that they are all the same endpoint. Anyone encountered this before?

Lucas Rodriguez

01/14/2022, 4:33 PM

I believe you want to change the config in fleet to use a different identifier for hosts https://fleetdm.com/docs/deploying/configuration#osquery-host-identifier

Lucas Rodriguez

01/14/2022, 4:33 PM

Let me double check with the team though.

zhong

01/14/2022, 4:34 PM

thank you!

Lucas Rodriguez

01/14/2022, 5:17 PM

Yes, that's the correct docs. You could try changing the config so that fleet uses a better identifier, and then delete the hosts in fleet (they will re-enroll after being deleted)

zwass

01/14/2022, 5:41 PM

https://fleetdm.com/docs/deploying/faq#what-is-duplicate-enrollment-and-how-do-i-fix-it may also be helpful

zhong

01/14/2022, 5:43 PM

Thank you, appreciate the help!

zwass

01/14/2022, 6:02 PM

@zhong I just updated that FAQ question with a bit more detail in case it helps 🙂

zhong

01/14/2022, 6:05 PM

thanks for the clarification! One more question (sorry), is the config found locally on each endpoint that is connected to fleet?

zwass

01/14/2022, 6:31 PM

Ah, so that flag is configured on the Fleet server. You can also configure the

--host_identifier

in osquery on the endpoints themselves, but most folks find it easier to just modify the Fleet server config.

zhong

01/18/2022, 9:24 PM

@zwass sorry for being inactive the past few days. Just wanted to follow up some more on this and double-check. If i wanted to update the config file for all hosts connected to fleet, should i add:

osquery:

host_identifier: uuid

on the Global agent options like so?

zwass

01/18/2022, 10:59 PM

No, you need to modify it on the Fleet server as described in https://fleetdm.com/docs/deploying/configuration

zhong

01/19/2022, 12:16 AM

So i need to run the command

fleet --osquery_host_identifier=uuid

on the fleet server?

zwass

01/19/2022, 12:21 AM

You need to start the Fleet server with that flag set, yeah. I would put it in whatever place you configuration is currently being set (config file, environment variables, or flags)

zhong

01/19/2022, 12:38 AM

i see, thank you for the help and for the patience with me 🤣

🍻 1

2 Views

Open in Slack

Previous Next