https://github.com/osquery/osquery logo
Join Slack
Powered by
Started getting this after 4.4.0 upgrade `"err":["...
# fleet
r
Started getting this after 4.4.0 upgrade 
"err":["failed to save host software: insert software: Error 1054: Unknown column 'bundle_identifier' in 'field list'"]
and verified that prepare db ran successfully.
t
what version did you migrate from?
r
4.3.1
t
could you tell me the output of the following sql query: 
select * from migration_status_tables
?
r
I don’t see a bundle_identifier column in the software table. I messed around a little and added the column 
alter table software add column bundle_identifier varchar(255) NOT NULL;
and the error goes away but then I get a bunch of other errors and my policies stop running
| 100 | 20210819143446 |     1 | 2021-09-14 07:30:59 |
| 101 | 20210903132338 |     1 | 2021-09-14 07:30:59 |
| 102 | 20210915144307 |     1 | 2021-09-27 14:49:25 |
| 103 | 20210920155130 |     1 | 2021-09-27 14:49:25 |
| 104 | 20210927143115 |     1 | 2021-10-05 00:16:55
t
the migration you're missing is:
Copy code
ALTER TABLE software ADD COLUMN bundle_identifier VARCHAR(255) DEFAULT ''
it shouldn't be not null
1
r
Anything missing in the migration, my result/status filesystem logging stopped and I’m seeing errors like this 
"filename":"distributed.cpp","line":"131","message":"Error executing distributed query: fleet_policy_query_6: no such table: sharing_preferences"
t
could you share the query that you are using for policy id 6?
r
{"hostIdentifier":"redacted","calendarTime":"Fri Oct 8 15:04:21 2021 UTC","unixTime":"1633705461","severity":"0","filename":"distributed.cpp","line":"121","message":"Executing distributed query: fleet_policy_query_6: select 1 from sharing_preferences where remote_login = 0;","version":"5.0.1","decorations":{"host_uuid":"redacted","hostname":"redacted"}}
{"hostIdentifier":"redacted","calendarTime":"Fri Oct 8 15:04:21 2021 UTC","unixTime":"1633705461","severity":"2","filename":"distributed.cpp","line":"131","message":"Error executing distributed query: fleet_policy_query_6: no such table: sharing_preferences","version":"5.0.1","decorations":{"host_uuid":"redacted","hostname":"redacted"}}
{"hostIdentifier":"redacted","calendarTime":"Fri Oct 8 15:04:21 2021 UTC","unixTime":"1633705461","severity":"0","filename":"distributed.cpp","line":"121","message":"Executing distributed query: fleet_policy_query_1: SELECT * FROM apps where bundle_identifier='io.redacted.redacted'","version":"5.0.1","decorations":{"host_uuid":"redacted","hostname":"redacted"}}
{"hostIdentifier":"redacted","calendarTime":"Fri Oct 8 15:04:21 2021 UTC","unixTime":"1633705461","severity":"2","filename":"distributed.cpp","line":"131","message":"Error executing distributed query: fleet_policy_query_1: no such table: apps","version":"5.0.1","decorations":{"host_uuid":"redacted","hostname":"redacted"}}
its all of them
t
https://docs.zercurity.com/osquery/schema/osquery_4.1.2/sharing_preferences.html <-- policies run in all platforms, so they will fail in the platfroms that don't support it
r
yah the targets are just platforms that support it and I can run the query live vs the hosts
t
policies don't run per platform as of today, they are sent to all hosts
r
confirmed they are unsupported hosts so makes sense on the policies. Any idea why the filesystem logging would have stopped?
t
could you expand a bit more on what you mean?
r
the packs run and should be logging to the filesystem (per my config) and was previously working.
Copy code
osquery:
 status_log_plugin: filesystem
 result_log_plugin: filesystem
filesystem:
 status_log_file: /var/log/osquery/status.log
 result_log_file: /var/log/osquery/result.log
 enable_log_rotation: true
 enable_log_compression: true
logging:
 json: true
disregard appears a restart fixed it 🤷
9 Views
Open in Slack
PreviousNext
Powered by