Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
m
Mystery Incorporated
08/15/2021, 1:43 AMOMG status.log is FLOODED with these:
{
"hostIdentifier": "8bca743b-7701-4c3a-ae18-7cbf883ee711",
"calendarTime": "Sun Aug 15 01:41:44 2021 UTC",
"unixTime": "1628991704",
"severity": "0",
"filename": "process_ops.cpp",
"line": "164",
"message": "Failed to lookup account name XXXXX with 1332",
"version": "4.9.0",
"decorations": {
"company": "YYYY",
"host_hostname": "ZZZZZ",
"username": "XXXXX"
}
}z
zwass
08/15/2021, 1:52 AMThat's an osquery log -- wouldn't have to do with upgrading Fleet.
m
Mystery Incorporated
08/15/2021, 1:53 AM@zwass Yes true but I'm wondering if fleet is pushing an erroneous decoration because that decoration comes from fleet config and was working fine pre 4.2 upgrade
z
zwass
08/15/2021, 1:55 AMI don't think we changed anything that would effect the decorators.
If you can use
--tls_dumpm
Mystery Incorporated
08/15/2021, 2:10 AM@zwass if I set --tls_dump where will it dump it in status I guess?
fleet[8891]: Failed to start: running root command: unknown flag: --tls_dumpOh I see that's an osquery flag
@zwass now I am flooded with these
{
"hostIdentifier": "8bca743b-7701-4c3a-ae18-7cbf883ee711",
"calendarTime": "Sun Aug 15 02:19:54 2021 UTC",
"unixTime": "1628993994",
"severity": "0",
"filename": "registry.cpp",
"line": "555",
"message": "Failed to expand globs: Failed to open registry handle",
"version": "4.9.0"
}z
zwass
08/15/2021, 2:43 AMDid you perhaps change the log level for osquery?
m
Mystery Incorporated
08/15/2021, 3:19 AM@zwass not at all, literally the only thing that has changed is I updated fleet binary from v4.1 to v4.2 and I did the prepare db for any migration, added the two settings in app_configs db tabel for vulnerability scanning, and now this happens. I even completey purged the osquerydb on that host and reinstalled it, still errors now it is:
{
"hostIdentifier": "76242d65-2c44-4b21-a0cd-ca226e63f02e",
"calendarTime": "Sun Aug 15 03:15:08 2021 UTC",
"unixTime": "1628997308",
"severity": "0",
"filename": "interfaces.cpp",
"line": "102",
"message": "Failed to retrieve network statistics for interface 1",
"version": "4.9.0"
}{
"hostIdentifier": "76242d65-2c44-4b21-a0cd-ca226e63f02e",
"calendarTime": "Sun Aug 15 03:15:08 2021 UTC",
"unixTime": "1628997308",
"severity": "0",
"filename": "interfaces.cpp",
"line": "157",
"message": "Failed to retrieve DHCP and DNS information for interface 1",
"version": "4.9.0"
}it can't really do anything. i think i will try rolling back to fleet 4.1 and see if it resolves the problem.
@zwass these errors are completely gone after I rolled back to v4.1 and deleted the 3 new columns put in the db with 4.2
Ah hang on it ditched the label query so hasn't been assigned a query pack now because it reenrolled after the db purge
@zwass still errors so I guess the vulnerability stuff is crashing fleet, and maybe some windows update has killed osqueryd or something because purge the DB, reinstall the msi, reenrols into fleet etc but just those errors in bulk and is mising the actual user who is on the computer in the user list and is saying
{
"hostIdentifier": "ea350f54-8884-43e4-abf2-a13b07390b42",
"calendarTime": "Sun Aug 15 03:57:55 2021 UTC",
"unixTime": "1628999875",
"severity": "0",
"filename": "registry.cpp",
"line": "555",
"message": "Failed to expand globs: Failed to open registry handle",
"version": "4.9.0"
}Nothing more I can say or do I guess, it is totally broken
z
zwass
08/15/2021, 10:40 PMBest way to debug this would be to compare what Fleet sends the osquery client between with
--tls_dump