https://github.com/osquery/osquery logo
Powered by
#fleet
Title
# fleet
m

Mystery Incorporated

08/15/2021, 1:43 AM
OMG status.log is FLOODED with these:
Copy code
{
  "hostIdentifier": "8bca743b-7701-4c3a-ae18-7cbf883ee711",
  "calendarTime": "Sun Aug 15 01:41:44 2021 UTC",
  "unixTime": "1628991704",
  "severity": "0",
  "filename": "process_ops.cpp",
  "line": "164",
  "message": "Failed to lookup account name XXXXX with 1332",
  "version": "4.9.0",
  "decorations": {
    "company": "YYYY",
    "host_hostname": "ZZZZZ",
    "username": "XXXXX"
  }
}
z

zwass

08/15/2021, 1:52 AM
That's an osquery log -- wouldn't have to do with upgrading Fleet.
m

Mystery Incorporated

08/15/2021, 1:53 AM
@zwass Yes true but I'm wondering if fleet is pushing an erroneous decoration because that decoration comes from fleet config and was working fine pre 4.2 upgrade
z

zwass

08/15/2021, 1:55 AM
I don't think we changed anything that would effect the decorators.
If you can use 
--tls_dump
to see that Fleet is returning the config incorrectly that would be very helpful.
m

Mystery Incorporated

08/15/2021, 2:10 AM
@zwass if I set --tls_dump where will it dump it in status I guess?
Copy code
fleet[8891]: Failed to start: running root command: unknown flag: --tls_dump
Oh I see that's an osquery flag
@zwass now I am flooded with these
Copy code
{
  "hostIdentifier": "8bca743b-7701-4c3a-ae18-7cbf883ee711",
  "calendarTime": "Sun Aug 15 02:19:54 2021 UTC",
  "unixTime": "1628993994",
  "severity": "0",
  "filename": "registry.cpp",
  "line": "555",
  "message": "Failed to expand globs: Failed to open registry handle",
  "version": "4.9.0"
}
z

zwass

08/15/2021, 2:43 AM
Did you perhaps change the log level for osquery?
m

Mystery Incorporated

08/15/2021, 3:19 AM
@zwass not at all, literally the only thing that has changed is I updated fleet binary from v4.1 to v4.2 and I did the prepare db for any migration, added the two settings in app_configs db tabel for vulnerability scanning, and now this happens. I even completey purged the osquerydb on that host and reinstalled it, still errors now it is:
Copy code
{
  "hostIdentifier": "76242d65-2c44-4b21-a0cd-ca226e63f02e",
  "calendarTime": "Sun Aug 15 03:15:08 2021 UTC",
  "unixTime": "1628997308",
  "severity": "0",
  "filename": "interfaces.cpp",
  "line": "102",
  "message": "Failed to retrieve network statistics for interface 1",
  "version": "4.9.0"
}
Copy code
{
  "hostIdentifier": "76242d65-2c44-4b21-a0cd-ca226e63f02e",
  "calendarTime": "Sun Aug 15 03:15:08 2021 UTC",
  "unixTime": "1628997308",
  "severity": "0",
  "filename": "interfaces.cpp",
  "line": "157",
  "message": "Failed to retrieve DHCP and DNS information for interface 1",
  "version": "4.9.0"
}
it can't really do anything. i think i will try rolling back to fleet 4.1 and see if it resolves the problem.
@zwass these errors are completely gone after I rolled back to v4.1 and deleted the 3 new columns put in the db with 4.2
Ah hang on it ditched the label query so hasn't been assigned a query pack now because it reenrolled after the db purge
@zwass still errors so I guess the vulnerability stuff is crashing fleet, and maybe some windows update has killed osqueryd or something because purge the DB, reinstall the msi, reenrols into fleet etc but just those errors in bulk and is mising the actual user who is on the computer in the user list and is saying
Copy code
{
  "hostIdentifier": "ea350f54-8884-43e4-abf2-a13b07390b42",
  "calendarTime": "Sun Aug 15 03:57:55 2021 UTC",
  "unixTime": "1628999875",
  "severity": "0",
  "filename": "registry.cpp",
  "line": "555",
  "message": "Failed to expand globs: Failed to open registry handle",
  "version": "4.9.0"
}
Nothing more I can say or do I guess, it is totally broken
z

zwass

08/15/2021, 10:40 PM
Best way to debug this would be to compare what Fleet sends the osquery client between with 
--tls_dump
turned on.
7 Views
Powered by