https://github.com/osquery/osquery logo
Join Slack
Powered by
The moment I try to redirect carves to S3 bucket, ...
# fleet
a
The moment I try to redirect carves to S3 bucket, I am getting the message in Osquery, "I0524 173332.621054 10575 carver.cpp:186] Failed to post carve: No session_id received from remote endpoint" and fails. Any idea what is happening and how to avert?
n
Hi @Anoop K V. You’re able to successfully initiate a carve when you don’t try to redirect to S3, correct?
a
Yes, that is correct
No errors seen without S3 params
z
S3 was a community contribution so we are not super familiar with it. I do notice that SessionId comes from the upload ID (https://github.com/fleetdm/fleet/blob/master/server/datastore/s3/carves.go#L42). The Go SDK docs (https://docs.aws.amazon.com/sdk-for-go/api/service/s3/#CreateMultipartUploadOutput) don't indicate when this might be empty, but I suppose we need a check for that?
These docs (https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateMultipartUpload.html) don't specify either. If you are able to do some debugging on your own that would be helpful.
Turning on 
--verbose --tls_dump
and looking at the osquery logs could be helpful. Also looking at the Fleet server logs.
a
Thanks @zwass I will explore these links. Unfortunately the verbose logs did not give much insight here.
z
Did the 
--tls_dump
log show any information about what Fleet returned to osquery?
1
a
Thanks, that went unnoticed as it turned up bit later printing the "No session_id received from remote endpoint" message. It was because of my trust permissions given to the AssumeRole. Rectified the same. Now I am getting the files in S3. Thanks again.
🍻 1
Open in Slack
PreviousNext
Powered by