SK
10/19/2021, 8:03 AMfleet[7390]: {"component":"http","err":"authentication error: find host","level":"info","path":"/api/v1/osquery/log"
We are running 4.4.0 and we had policies running but removed them as the DB became unresponsive but now we have these errors, what can we do to solve this?"authentication error: find host"
"updating hosts label updated at: context canceled"
"create transaction: context canceled"
"delete label query executions: context canceled"
Any way to like reset it?Tomas Touceda
10/19/2021, 12:59 PMSK
10/20/2021, 7:58 AMAborted connection 12345 to db: 'db' user: 'user' host: 'ip' (Got an error reading communication packets)
Aborted connection 12345 to db: 'db' user: 'user' host: 'ip' (Got an error writing communication packets)
Tomas Touceda
10/20/2021, 2:04 PMSK
10/20/2021, 2:30 PMdelete from policies
to see if that helped. But nothing, for me it seems there is some issue with the policy data that osquery want to keep sending to the DB.Tomas Touceda
10/20/2021, 2:35 PMSK
10/20/2021, 2:36 PMauthentication error: find host
Tomas Touceda
10/20/2021, 2:38 PMSK
10/20/2021, 2:40 PMslow_query_log
is disabledTomas Touceda
10/20/2021, 2:41 PMSHOW FULL PROCESSLIST;
would list what's running, but there are other performance tools that might be easier depending on your setup. If you have prometheus, seeing ops and times could be usefulSK
10/20/2021, 2:48 PMmax_open_conns
and max_idle_cons
they were 1000 and 200, now 100 and 20, DB seems to be more stable now, don't know if it will cause issues anywhere elseslow_query_log
is giving me this over and overTomas Touceda
10/20/2021, 3:05 PMSELECT TABLE_ROWS, TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA = 'fleet'
?SK
10/20/2021, 3:07 PMTomas Touceda
10/20/2021, 3:11 PMexplain SELECT DISTINCT s.id, scv.cve
FROM host_software hs
JOIN hosts h ON (hs.host_id=h.id)
JOIN software s
JOIN software_cpe scp ON (s.id=scp.software_id)
JOIN software_cve scv ON (scp.id=scv.cpe_id)
WHERE hs.host_id=1
?SK
10/20/2021, 3:19 PMTomas Touceda
10/20/2021, 3:21 PMSK
10/20/2021, 3:26 PMosquery_host_id
from hosts or uuid
?Tomas Touceda
10/20/2021, 3:29 PMselect id from hosts limit 1
SK
10/20/2021, 3:31 PMTomas Touceda
10/20/2021, 3:33 PMfleetctl get config
, but the config you set for fleet to startSK
10/20/2021, 3:36 PMTomas Touceda
10/20/2021, 3:40 PMSK
10/20/2021, 3:41 PMTomas Touceda
10/20/2021, 3:41 PMSK
10/20/2021, 3:41 PMTomas Touceda
10/20/2021, 3:43 PMSK
10/20/2021, 3:46 PMcurrent_instance_checks:
setting in that one server?Tomas Touceda
10/20/2021, 3:47 PMSK
10/20/2021, 3:48 PMTomas Touceda
10/20/2021, 3:54 PMSELECT DISTINCT s.id, scv.cve
FROM host_software hs
JOIN hosts h ON (hs.host_id=h.id)
JOIN software s
JOIN software_cpe scp ON (s.id=scp.software_id)
JOIN software_cve scv ON (scp.id=scv.cpe_id)
WHERE hs.host_id=<the id you used before>
and then compare the speed with the following:
SELECT DISTINCT s.id, scv.cve
FROM host_software hs
JOIN hosts h ON (hs.host_id=h.id)
JOIN software s ON (s.id=hs.software_id)
JOIN software_cpe scp ON (s.id=scp.software_id)
JOIN software_cve scv ON (scp.id=scv.cpe_id)
WHERE hs.host_id=1
SK
10/20/2021, 4:02 PMEmpty set
based on the id and the other one is hanging, waiting on the return at the momentTomas Touceda
10/20/2021, 4:02 PMSK
10/20/2021, 4:07 PMTomas Touceda
10/20/2021, 4:08 PMSK
10/20/2021, 4:11 PMTomas Touceda
10/20/2021, 4:13 PMSK
10/20/2021, 4:22 PMTomas Touceda
10/20/2021, 4:22 PMSK
10/20/2021, 4:23 PMTomas Touceda
10/20/2021, 4:23 PMSK
10/20/2021, 4:24 PMTomas Touceda
10/20/2021, 4:32 PMSK
10/20/2021, 4:34 PMTomas Touceda
10/20/2021, 4:59 PMSK
10/21/2021, 7:35 AMTomas Touceda
10/21/2021, 2:13 PMGavin
10/22/2021, 7:12 PMFlngen Flugen
12/06/2021, 12:12 PMytonui
02/10/2022, 1:19 PM