Title
#fleet
a

Anoop K V

05/24/2021, 6:17 PM
The moment I try to redirect carves to S3 bucket, I am getting the message in Osquery, "I0524 17:33:32.621054 10575 carver.cpp:186] Failed to post carve: No session_id received from remote endpoint" and fails. Any idea what is happening and how to avert?
Noah Talerman

Noah Talerman

05/24/2021, 7:04 PM
Hi @Anoop K V. You’re able to successfully initiate a carve when you don’t try to redirect to S3, correct?
a

Anoop K V

05/24/2021, 10:37 PM
Yes, that is correct
10:39 PM
No errors seen without S3 params
zwass

zwass

05/25/2021, 1:18 AM
S3 was a community contribution so we are not super familiar with it. I do notice that SessionId comes from the upload ID (https://github.com/fleetdm/fleet/blob/master/server/datastore/s3/carves.go#L42). The Go SDK docs (https://docs.aws.amazon.com/sdk-for-go/api/service/s3/#CreateMultipartUploadOutput) don't indicate when this might be empty, but I suppose we need a check for that?
1:20 AM
These docs (https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateMultipartUpload.html) don't specify either. If you are able to do some debugging on your own that would be helpful.
1:24 AM
Turning on
--verbose --tls_dump
and looking at the osquery logs could be helpful. Also looking at the Fleet server logs.
a

Anoop K V

05/25/2021, 6:06 AM
Thanks @zwass I will explore these links. Unfortunately the verbose logs did not give much insight here.
zwass

zwass

05/25/2021, 4:08 PM
Did the
--tls_dump
log show any information about what Fleet returned to osquery?
a

Anoop K V

05/27/2021, 4:53 AM
Thanks, that went unnoticed as it turned up bit later printing the "No session_id received from remote endpoint" message. It was because of my trust permissions given to the AssumeRole. Rectified the same. Now I am getting the files in S3. Thanks again.