The moment I try to redirect carves to S3 bucket I am gettin

Question

The moment I try to redirect carves to S3 bucket I am getting the message in Osquery I0524 17 33 32 621054 10575 carver cpp 186 Failed to post carve No session id received from remote endpoint and fails Any idea what is happening and how to avert

Noah Talerman · Answer

Hi < Anoop K V> You re able to successfully initiate a carve when you don t try to redirect to S3 correct

Anoop K V · Answer

Yes that is correct

Anoop K V · Answer

No errors seen without S3 params

zwass · Answer

S3 was a community contribution so we are not super familiar with it I do notice that SessionId comes from the upload ID The Go SDK docs don t indicate when this might be empty but I suppose we need a check for that

zwass · Answer

These docs <https docs aws amazon com AmazonS3 latest API API CreateMultipartUpload html> don t specify either If you are able to do some debugging on your own that would be helpful

zwass · Answer

Turning on ` verbose tls dump` and looking at the osquery logs could be helpful Also looking at the Fleet server logs

Anoop K V · Answer

Thanks < zwass> I will explore these links Unfortunately the verbose logs did not give much insight here

zwass · Answer

Did the ` tls dump` log show any information about what Fleet returned to osquery

Anoop K V · Answer

Thanks that went unnoticed as it turned up bit later printing the No session id received from remote endpoint message It was because of my trust permissions given to the AssumeRole Rectified the same Now I am getting the files in S3 Thanks again