Hi there, I am trying to setup a demo security onion solution as a proof concept for my workplace and have managed to connect a machine running RHEL without any issues but when running the MSI launcher on a Windows Server 2016 instance it just doesn't seem to add it to the fleet at all? Has anyone else ran into issues trying to add a 2016 Windows Server machine to the fleet using just the launcher provided by SO?
For e.g. all I had to do to connect the RHEL machine to the fleet was download and run the launcher after using so-allow to allow osquery connections and I was under the impression that it'd be the same process for adding the Windows Server 2016 machine?
06/24/2021, 3:52 PM
@defensivedepth builds SO and may know more
06/24/2021, 3:54 PM
Okay thanks @zwass!
06/24/2021, 4:48 PM
@RyanMcG check under the Application eventlog on the Windows Server - restart the Kolide Launcher service and you should see logs there.
06/25/2021, 8:41 AM
Firstly, thanks for helping @defensivedepth, and according to the logs the launcher configuration completed successfully but I did notice a pile of NULL values, which I can only assume aren't supposed to be there?
06/29/2021, 8:20 PM
@RyanMcG are you seeing logs that state that it successfully connected? Once connected, you should see logs about scheduled queries running every so often, etc
06/30/2021, 12:10 PM
It doesn't look like the actual connection was successful, I have attached a couple of log snippets below. Yesterday I thought i'd test out a Windows 10 Pro OS Instance just to see if the launcher was essentially all i needed to setup the connection and it worked as expected which leads me to think there might be some support issues with the specific release of Windows Server 2016 that I was using to test?
07/01/2021, 4:22 PM
Yes that is very possible. What version of SO are you on?
07/05/2021, 8:05 AM
sorry for the late reply, i'm using version - 2.3.52
07/06/2021, 8:32 PM
Can you regenerate the osquery packages and then try to reinstall? Run the following on the manager: