https://github.com/osquery/osquery logo
Powered by
Title
s

SK

09/09/2021, 12:14 PM
Some systems are not displaying the software inventory while others do, if I run for example the query Get installed Linux software hosted on https://fleetdm.com/queries it returns results but nothing in the host details page, is there some check or debug that I can do to see where the issue is?
t

Tomas Touceda

09/09/2021, 1:38 PM
you can check the logs for any occurrences of 
ingest-err
, otherwise, in the host that is not reporting the software, you can run it with verbose logging and see if it's getting the right queries to run
you're running 4.2.4, correct?
for osquery, if you can run it with 
--verbose --tls_dump
that might help
s

SK

09/09/2021, 2:04 PM
Running version 4.2.3, I will check the logs of osquery with verbose on
Don't see any 
ingest-err
in the logs of fleet
t

Tomas Touceda

09/09/2021, 2:30 PM
ok, we'll add a way to enable extra verbose logs for a specific host in 4.3.0
s

SK

09/09/2021, 7:18 PM
Hey @Tomas Touceda I ran Osquery in verbose mode but I don't see the software query if I do 
Refetch
in the UI, should it also run the query at that moment?
If I run the query that is in the sourcecode through the UI I see the following, don't know if it has any influence on the results: 
I0909 21:05:01.313659 30507 glog_logger.cpp:49] RPM notice: Failed to read auxiliary vector, /proc not mounted?                                                
I0909 21:05:01.313786 30507 glog_logger.cpp:49] RPM notice: Unable to open /usr/lib/rpm/rpmrc for reading: No such file or directory.                          
I0909 21:05:01.313809 30507 glog_logger.cpp:49] Cannot read RPM configuration files 
I0909 21:05:01.314138 30507 yum_sources.cpp:57] File /etc/yum.conf cannot be read
W0909 21:06:01.481489 30507 virtual_table.cpp:961] The atom_packages table returns data based on the current user by default, consider JOINing against the users table
t

Tomas Touceda

09/09/2021, 7:24 PM
what's the output of 
fleetctl get config
?
s

SK

09/09/2021, 7:37 PM
---
apiVersion: v1
kind: config
spec:
  agent_options:
    config:
      decorators:
        load:
        - SELECT uuid AS host_uuid FROM system_info;
        - SELECT hostname AS hostname FROM system_info;
      options:
        carver_block_size: 2000000
        carver_compression: true
        carver_continue_endpoint: /api/v1/osquery/carve/block
        carver_start_endpoint: /api/v1/osquery/carve/begin
        config_accelerated_refresh: 300
        config_refresh: 600
        disable_carver: false
        disable_distributed: false
        distributed_interval: 60
        distributed_plugin: tls
        distributed_tls_max_attempts: 3
        logger_plugin: tls
        logger_tls_compress: true
        logger_tls_endpoint: /api/v1/osquery/log
        logger_tls_period: 60
        pack_delimiter: /
        read_max: 524288000
    overrides:
      platforms:
        windows:
          decorators:
            load:
            - SELECT uuid AS host_uuid FROM system_info;
            - SELECT hostname AS hostname FROM system_info;
          options:
            carver_block_size: 2000000
            carver_compression: true
            carver_continue_endpoint: /api/v1/osquery/carve/block
            carver_start_endpoint: /api/v1/osquery/carve/begin
            config_accelerated_refresh: 300
            config_refresh: 600
            disable_carver: false
            disable_distributed: false
            disable_events: false
            distributed_interval: 60
            distributed_plugin: tls
            distributed_tls_max_attempts: 3
            enable_powershell_events_subscriber: true
            enable_windows_events_publisher: true
            enable_windows_events_subscriber: true
            events_optimize: true
            logger_plugin: tls
            logger_tls_compress: true
            logger_tls_endpoint: /api/v1/osquery/log
            logger_tls_period: 60
            pack_delimiter: /
            read_max: 524288000
            windows_event_channels: System,Application,Setup,Security,Microsoft-Windows-PowerShell/Operational
  host_expiry_settings:
    host_expiry_enabled: true
    host_expiry_window: 2
  host_settings:
    enable_host_users: true
    enable_software_inventory: true
  server_settings:
    enable_analytics: false
    live_query_disabled: false
    server_url: 
  vulnerability_settings:
    databases_path: /tmp/vulndbs
t

Tomas Touceda

09/09/2021, 7:39 PM
hm, yeah, it's weird you're not seeing the query, you should see it right after the request to 
/osquery/distributed/read
we will add some more logging https://github.com/fleetdm/fleet/pull/1978 for 4.3.0 that might help us nail the issue down
s

SK

09/09/2021, 7:42 PM
Great, for now I will let it rest as CPE data is beta 😉 Thanks for your help
Btw I see 
fleet_detail_query_users:
and other queries also, only not the software one
Only thing I can think of is for some reason because they are Debian systems, Red Hat and CentOS work without any issues
t

Tomas Touceda

09/09/2021, 8:26 PM
that shouldn't matter, at most it would fail to run the query, but if it's not being sent, that's odd. Do you happen to have the environment variable for software inventory defined?
s

SK

09/09/2021, 8:38 PM
No I set it through fleetctl apply, you mean the beta flag right?
Another piece of info, the osquery instances i am talking about are running on the fleet servers.
t

Tomas Touceda

09/09/2021, 9:12 PM
that shouldn't be a problem
let's see what the per host debug data tells us when that's released
4 Views
#fleetJoin Slack
Powered by