https://github.com/osquery/osquery logo
Powered by
#fleet
Title
p

proxx

04/07/2021, 10:46 PM
Anyone encountered osqueryd running service but host enrolled is offline on the fleet manager. I have tried to to run osqueryd as a service but no headway.
n

Noah Talerman

04/07/2021, 11:25 PM
Hi @proxx Usually easiest way to debug enrollment issues is by running osqueryd with 
--verbose --tls_dump
. Do you mind running osqueryd with these flags and pasting the output in this thread?
p

proxx

04/09/2021, 1:38 PM
So after i ran the command i got this
I0409 14:35:13.475466  3271 tls.cpp:255] TLS/HTTPS POST request to URI: <https://192.168.1.114:8080/api/v1/osquery/distributed/read>
{"node_key":"Sfb2QZXTeZw8503KkviGMOXF1tVXRBtv"}
{
"error": "retrieve live queries: scan active queries: scan keys: dial tcp 192.168.1.114:6379: connect: connection refused"
}
n

Noah Talerman

04/09/2021, 6:22 PM
It seems like there is a connection error with your redis instance (assuming the port refusing connection is redis). I’m not positive on what the next steps for debugging this connection error are. Attempting to get better next steps for you now.
p

proxx

04/10/2021, 8:54 AM
Do I have to install redis on the host i'm trying to enroll
So I was able to resolve it. I had to copy the config in flagfile.txt that was downloaded from the fleet dashboard to osquery.flag. and I was able to enroll successfully and without it going offline.
🍻 1
n

Noah Talerman

04/12/2021, 6:38 PM
Glad you were able to resolve the enrollment issue!
Before you downloaded the 
flagfile.txt
, what were you using to manage flags for osqueryd? Did you include the flags in the osqueryd launch command as documented here? https://github.com/fleetdm/fleet/blob/master/docs/2-Deployment/3-Adding-hosts.md#launching-osqueryd
I’m trying to determine how we can improve the host enrollment documentation using the steps you took to resolve the issue.
p

proxx

04/12/2021, 9:18 PM
So basically I ran service as a daemon which was not effective so all I did was to create osquery.flags and copy the content in flag file.txt.
So the best way i think you can help is to add a README.txt guiding on how to use the flag file.
👍 1
So I have an issue, my fleet couldn't start after not properly shutting down my server. Which made me curious that i have other application residing on the same server and it did startup at reboot
See error below
fleet.service - Fleet Osquery Fleet Manager
Loaded: loaded (/etc/systemd/system/fleet.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Mon 2021-04-12 22:14:02 WAT; 10s ago
Process: 1527 ExecStart=/usr/local/bin/fleet serve -c /etc/fleet/fleet.yml (code=exited, status=0/SUCCESS)
Process: 1536 ExecStop=/bin/kill -15 $(ps aux | grep fleet serve | grep -v grep | awk {print$2}) (code=exited, status=1/FAILURE)
Main PID: 1527 (code=exited, status=0/SUCCESS)
Apr 12 22:14:02 osquery-Standard-PC-i440FX-PIIX-1996 kill[1536]:  <pid> [...]            send signal to every <pid> listed
Apr 12 22:14:02 osquery-Standard-PC-i440FX-PIIX-1996 kill[1536]:  -<signal>, -s, --signal <signal>
Apr 12 22:14:02 osquery-Standard-PC-i440FX-PIIX-1996 kill[1536]:                         specify the <signal> to be sent
Apr 12 22:14:02 osquery-Standard-PC-i440FX-PIIX-1996 kill[1536]:  -l, --list=[<signal>]  list all signal names, or convert one to a name
Apr 12 22:14:02 osquery-Standard-PC-i440FX-PIIX-1996 kill[1536]:  -L, --table            list all signal names in a nice table
Apr 12 22:14:02 osquery-Standard-PC-i440FX-PIIX-1996 kill[1536]:  -h, --help     display this help and exit
Apr 12 22:14:02 osquery-Standard-PC-i440FX-PIIX-1996 kill[1536]:  -V, --version  output version information and exit
Apr 12 22:14:02 osquery-Standard-PC-i440FX-PIIX-1996 kill[1536]: For more details see kill(1).
Apr 12 22:14:02 osquery-Standard-PC-i440FX-PIIX-1996 systemd[1]: fleet.service: Control process exited, code=exited, status=1/FAILURE
Apr 12 22:14:02 osquery-Standard-PC-i440FX-PIIX-1996 systemd[1]: fleet.service: Failed with result 'exit-code'.
n

Noah Talerman

04/12/2021, 10:07 PM
Which made me curious that i have other application residing on the same server and it did startup at reboot
What exactly started up at reboot? Fleet or your other applications?
p

proxx

04/13/2021, 12:01 AM
Other applications configured on the same server
And I enable Fleet to restart at reboot.....Seem that's not the case
n

Noah Talerman

04/13/2021, 3:55 PM
@proxx Are you still experiencing the same issue in which Fleet fails to restart when your server reboots?
p

proxx

04/13/2021, 8:58 PM
No... So i discovered that my server.cert was missing . Had to re-copy the certificate to to the path where the certificate was generated.
n

Noah Talerman

04/13/2021, 9:22 PM
Awesome, glad you discovered this. Again, thank you for your comments on improving flag file documentation. Calling out the areas of the docs that are lacking is very helpful.
p

proxx

04/13/2021, 9:46 PM
The pleasure is all mine.
I don't know if your developers have integrated Fleet with Elasticsearch.
n

Noah Talerman

04/14/2021, 4:04 PM
What do you mean exactly when you use the word “integrated?” Are you referring to the ability to ship logs from Fleet to Elasticsearch?
p

proxx

04/15/2021, 12:47 PM
Yes ship logs from Fleet to Elasticsearch
n

Noah Talerman

04/15/2021, 5:10 PM
There’s currently no way to ship logs directly from Fleet to Elasticsearch. Typically, folks will ship logs to Amazon Kinesis Data Firehouse or other log plugins supported by Fleet (documentation is here). They’ll then use these tools to then ship data to data aggregation solutions like Elasticsearch or Splunk
4 Views
Powered by