hey what could be the cause of this occurring on most hosts osquery #fleet

hey, what could be the cause of this occurring on ...

Gregory Storme

10/25/2022, 11:58 AM

hey, what could be the cause of this occurring on most hosts?

{"component":"http","err":": Authentication required","internal":"authentication error: invalid orbit node key","level":"info","path":"/api/fleet/orbit/config"

roberto

10/25/2022, 1:38 PM

hey! this might happen before the hosts enroll for the first time, are you seeing this repeatedly? could you share more details about your set-up? anything on the debugging guide might be helpful, but knowing the Fleet version you're running and the Orbit version installed on the hosts would be great.

Gregory Storme

10/25/2022, 1:51 PM

I'm seeing this almost constantly for a lot of hosts, but I can't say since when... only noticing it now because I'm not experiencing any issues actually. The hosts that are hitting this are existing hosts which have been registered in fleet for a while, and are still online

Gregory Storme

10/25/2022, 1:53 PM

I upgraded from 4.21 to 4.22 today, it occured on both. The orbit version we deploy is 0.0.6 or 0.0.7 and the osquery version is 5.5.1

Gregory Storme

10/25/2022, 1:56 PM

this only occurs for requests from hosts to fleet on

POST /api/fleet/orbit/config

where a 401 error is returned, all the other requests return a 200

Gregory Storme

10/25/2022, 1:58 PM

example from 1 host hitting haproxy that is serving in front of fleet:

Copy code

f_fleet~ b_fleet/localhost 0/0/0/1/1 200 160 - - ---- 5533/5533/3/3/0 0/0 "HEAD /api/fleet/orbit/ping HTTP/1.1"
f_fleet~ b_fleet/localhost 0/0/0/0/0 401 269 - - ---- 5555/5555/0/0/0 0/0 "POST /api/fleet/orbit/config HTTP/1.1"
f_fleet~ b_fleet/localhost 0/0/0/1/1 200 574 - - ---- 5559/5559/1/1/0 0/0 "POST /api/v1/osquery/config HTTP/1.1"
f_fleet~ b_fleet/localhost 0/0/0/1/1 200 165 - - ---- 5603/5603/1/1/0 0/0 "POST /api/v1/osquery/distributed/read HTTP/1.1"
f_fleet~ b_fleet/localhost 0/0/0/1/1 200 165 - - ---- 5620/5620/1/1/0 0/0 "POST /api/v1/osquery/distributed/read HTTP/1.1"
f_fleet~ b_fleet/localhost 0/0/1/2/3 200 165 - - ---- 5722/5722/1/1/0 0/0 "POST /api/v1/osquery/distributed/read HTTP/1.1"
f_fleet~ b_fleet/localhost 0/0/1/0/1 401 269 - - ---- 5787/5787/1/1/0 0/0 "POST /api/fleet/orbit/config HTTP/1.1"
f_fleet~ b_fleet/localhost 0/0/0/1/1 200 165 - - ---- 5742/5742/0/0/0 0/0 "POST /api/v1/osquery/distributed/read HTTP/1.1"

roberto

10/25/2022, 2:09 PM

gotcha, to give you peace of mind: we designed this feature in a way that shouldn't break anything if the

orbit/config

endpoint doesn't return a

code. Let me get back to the team with this information to see if we can pinpoint the issue. I might bother you again to ask for more details.

3 Views

Open in Slack

Previous Next