Hello everyone! I'm having a little problem regarding OSQuery for MacOS: some hosts keep "rejoining" Fleet with different hostnames (sometimes even with the same hostname) and I have no idea why. Note in the screenshot that it is the same machine, based on the serial number

Hi, @Saulo Guilhermino! What are you using as your host identifier?

Hey @Kathy Satterlee, my OSQuery flag file sets the

hostname

as

host_identifier

Was osquery removed or the database wiped in between hostname changes? If the hostname changed and then osquery sent an enrollment request, Fleet would see this as a new device.

Yeah, it likely has to do with the different hostnames. Is there something on the machine that could actually be changing the hostname? I suspect you could solve this by switching to

uuid

for

host_identifier

.

Hi, sorry for the delay. @Kathy Satterlee There were no changes to the osquery installation or the database in this time period, as you guessed it. I already removed the duplicates yesterday, but they keep showing up. @zwass I do think something on the machine is causing the hostname to change, but I'm not sure what it could be. I will try to switch the identifier and send updates here if I notice any changes. Thanks for the suggestions!

Sounds good. @Saulo Guilhermino!

Sure! Here it is:

--enroll_secret_path=<%= @secret_path %>
--tls_hostname=<%= @fleet_url %>
--host_identifier=uuid
--enroll_tls_endpoint=/api/osquery/enroll
--config_plugin=tls
--config_tls_endpoint=/api/osquery/config
--config_refresh=10
--disable_distributed=false
--distributed_plugin=tls
--distributed_interval=10
--distributed_tls_max_attempts=3
--distributed_tls_read_endpoint=/api/osquery/distributed/read
--distributed_tls_write_endpoint=/api/osquery/distributed/write
--logger_plugin=tls
--logger_tls_endpoint=/api/osquery/log
--logger_tls_period=10

That’s awesome, glad to hear it!