The moment I try to redirect carves to S3 bucket, ...
# fleet
The moment I try to redirect carves to S3 bucket, I am getting the message in Osquery, "I0524 173332.621054 10575 carver.cpp:186] Failed to post carve: No session_id received from remote endpoint" and fails. Any idea what is happening and how to avert?
Hi @Anoop K V. You’re able to successfully initiate a carve when you don’t try to redirect to S3, correct?
Yes, that is correct
No errors seen without S3 params
S3 was a community contribution so we are not super familiar with it. I do notice that SessionId comes from the upload ID ( The Go SDK docs ( don't indicate when this might be empty, but I suppose we need a check for that?
These docs ( don't specify either. If you are able to do some debugging on your own that would be helpful.
Turning on
--verbose --tls_dump
and looking at the osquery logs could be helpful. Also looking at the Fleet server logs.
Thanks @zwass I will explore these links. Unfortunately the verbose logs did not give much insight here.
Did the
log show any information about what Fleet returned to osquery?
Thanks, that went unnoticed as it turned up bit later printing the "No session_id received from remote endpoint" message. It was because of my trust permissions given to the AssumeRole. Rectified the same. Now I am getting the files in S3. Thanks again.
🍻 1