https://github.com/osquery/osquery logo
Powered by
#fleet
Title
# fleet
g

Gregory Storme

10/25/2022, 11:58 AM
hey, what could be the cause of this occurring on most hosts? 
{"component":"http","err":": Authentication required","internal":"authentication error: invalid orbit node key","level":"info","path":"/api/fleet/orbit/config"
r

roberto

10/25/2022, 1:38 PM
hey! this might happen before the hosts enroll for the first time, are you seeing this repeatedly? could you share more details about your set-up? anything on the debugging guide might be helpful, but knowing the Fleet version you're running and the Orbit version installed on the hosts would be great.
g

Gregory Storme

10/25/2022, 1:51 PM
I'm seeing this almost constantly for a lot of hosts, but I can't say since when... only noticing it now because I'm not experiencing any issues actually. The hosts that are hitting this are existing hosts which have been registered in fleet for a while, and are still online
I upgraded from 4.21 to 4.22 today, it occured on both. The orbit version we deploy is 0.0.6 or 0.0.7 and the osquery version is 5.5.1
this only occurs for requests from hosts to fleet on 
POST /api/fleet/orbit/config
where a 401 error is returned, all the other requests return a 200
example from 1 host hitting haproxy that is serving in front of fleet:
Copy code
f_fleet~ b_fleet/localhost 0/0/0/1/1 200 160 - - ---- 5533/5533/3/3/0 0/0 "HEAD /api/fleet/orbit/ping HTTP/1.1"
f_fleet~ b_fleet/localhost 0/0/0/0/0 401 269 - - ---- 5555/5555/0/0/0 0/0 "POST /api/fleet/orbit/config HTTP/1.1"
f_fleet~ b_fleet/localhost 0/0/0/1/1 200 574 - - ---- 5559/5559/1/1/0 0/0 "POST /api/v1/osquery/config HTTP/1.1"
f_fleet~ b_fleet/localhost 0/0/0/1/1 200 165 - - ---- 5603/5603/1/1/0 0/0 "POST /api/v1/osquery/distributed/read HTTP/1.1"
f_fleet~ b_fleet/localhost 0/0/0/1/1 200 165 - - ---- 5620/5620/1/1/0 0/0 "POST /api/v1/osquery/distributed/read HTTP/1.1"
f_fleet~ b_fleet/localhost 0/0/1/2/3 200 165 - - ---- 5722/5722/1/1/0 0/0 "POST /api/v1/osquery/distributed/read HTTP/1.1"
f_fleet~ b_fleet/localhost 0/0/1/0/1 401 269 - - ---- 5787/5787/1/1/0 0/0 "POST /api/fleet/orbit/config HTTP/1.1"
f_fleet~ b_fleet/localhost 0/0/0/1/1 200 165 - - ---- 5742/5742/0/0/0 0/0 "POST /api/v1/osquery/distributed/read HTTP/1.1"
r

roberto

10/25/2022, 2:09 PM
gotcha, to give you peace of mind: we designed this feature in a way that shouldn't break anything if the 
orbit/config
endpoint doesn't return a 
200
code. Let me get back to the team with this information to see if we can pinpoint the issue. I might bother you again to ask for more details.
2 Views
Powered by