Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
s
Saulo Guilhermino
10/26/2022, 1:35 PMHello everyone! I'm having a little problem regarding OSQuery for MacOS: some hosts keep "rejoining" Fleet with different hostnames (sometimes even with the same hostname) and I have no idea why. Note in the screenshot that it is the same machine, based on the serial number
Perhaps the solution is to group machines by serial number? What do you think?
k
Kathy Satterlee
10/26/2022, 2:35 PMHi, @Saulo Guilhermino! What are you using as your host identifier?
s
Saulo Guilhermino
10/26/2022, 2:37 PMHey @Kathy Satterlee, my OSQuery flag file sets the
hostnamehost_identifierk
Kathy Satterlee
10/26/2022, 3:02 PMWas osquery removed or the database wiped in between hostname changes? If the hostname changed and then osquery sent an enrollment request, Fleet would see this as a new device.
I see that they all checked in in relatively short periods, so perhaps there was an issue with that machine that resulted in some tinkering?
If you remove the duplicates in Fleet, do they pop back up?
z
zwass
10/26/2022, 3:42 PMYeah, it likely has to do with the different hostnames. Is there something on the machine that could actually be changing the hostname?
I suspect you could solve this by switching to
uuidhost_identifiers
Saulo Guilhermino
10/26/2022, 4:58 PMHi, sorry for the delay. @Kathy Satterlee There were no changes to the osquery installation or the database in this time period, as you guessed it. I already removed the duplicates yesterday, but they keep showing up. @zwass I do think something on the machine is causing the hostname to change, but I'm not sure what it could be. I will try to switch the identifier and send updates here if I notice any changes. Thanks for the suggestions!
k
Kathy Satterlee
10/26/2022, 4:59 PMSounds good. @Saulo Guilhermino!
If you wouldn't mind sharing your
osquerys
Saulo Guilhermino
10/26/2022, 7:41 PMSure! Here it is:
--enroll_secret_path=<%= @secret_path %>
--tls_hostname=<%= @fleet_url %>
--host_identifier=uuid
--enroll_tls_endpoint=/api/osquery/enroll
--config_plugin=tls
--config_tls_endpoint=/api/osquery/config
--config_refresh=10
--disable_distributed=false
--distributed_plugin=tls
--distributed_interval=10
--distributed_tls_max_attempts=3
--distributed_tls_read_endpoint=/api/osquery/distributed/read
--distributed_tls_write_endpoint=/api/osquery/distributed/write
--logger_plugin=tls
--logger_tls_endpoint=/api/osquery/log
--logger_tls_period=10I just notice that all machines are rejoining, so I deleted all of them and now i'm waiting a little bit to get a new hosts list
Hey! Just to update you: the issue seems to be solved after the
host_identifierk
Kathy Satterlee
10/31/2022, 1:56 PMThat’s awesome, glad to hear it!