https://github.com/osquery/osquery logo
Join Slack
Powered by
Anyone encountered osqueryd running service but ho...
# fleet
p
Anyone encountered osqueryd running service but host enrolled is offline on the fleet manager. I have tried to to run osqueryd as a service but no headway.
n
Hi @proxx Usually easiest way to debug enrollment issues is by running osqueryd with 
--verbose --tls_dump
. Do you mind running osqueryd with these flags and pasting the output in this thread?
p
So after i ran the command i got this
I0409 14:35:13.475466  3271 tls.cpp:255] TLS/HTTPS POST request to URI: <https://192.168.1.114:8080/api/v1/osquery/distributed/read>
{"node_key":"Sfb2QZXTeZw8503KkviGMOXF1tVXRBtv"}
{
"error": "retrieve live queries: scan active queries: scan keys: dial tcp 192.168.1.114:6379: connect: connection refused"
}
n
It seems like there is a connection error with your redis instance (assuming the port refusing connection is redis). I’m not positive on what the next steps for debugging this connection error are. Attempting to get better next steps for you now.
p
Do I have to install redis on the host i'm trying to enroll
So I was able to resolve it. I had to copy the config in flagfile.txt that was downloaded from the fleet dashboard to osquery.flag. and I was able to enroll successfully and without it going offline.
🍻 1
n
Glad you were able to resolve the enrollment issue!
Before you downloaded the 
flagfile.txt
, what were you using to manage flags for osqueryd? Did you include the flags in the osqueryd launch command as documented here? https://github.com/fleetdm/fleet/blob/master/docs/2-Deployment/3-Adding-hosts.md#launching-osqueryd
I’m trying to determine how we can improve the host enrollment documentation using the steps you took to resolve the issue.
p
So basically I ran service as a daemon which was not effective so all I did was to create osquery.flags and copy the content in flag file.txt.
So the best way i think you can help is to add a README.txt guiding on how to use the flag file.
👍 1
So I have an issue, my fleet couldn't start after not properly shutting down my server. Which made me curious that i have other application residing on the same server and it did startup at reboot
See error below
fleet.service - Fleet Osquery Fleet Manager
Loaded: loaded (/etc/systemd/system/fleet.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Mon 2021-04-12 22:14:02 WAT; 10s ago
Process: 1527 ExecStart=/usr/local/bin/fleet serve -c /etc/fleet/fleet.yml (code=exited, status=0/SUCCESS)
Process: 1536 ExecStop=/bin/kill -15 $(ps aux | grep fleet serve | grep -v grep | awk {print$2}) (code=exited, status=1/FAILURE)
Main PID: 1527 (code=exited, status=0/SUCCESS)
Apr 12 22:14:02 osquery-Standard-PC-i440FX-PIIX-1996 kill[1536]:  <pid> [...]            send signal to every <pid> listed
Apr 12 22:14:02 osquery-Standard-PC-i440FX-PIIX-1996 kill[1536]:  -<signal>, -s, --signal <signal>
Apr 12 22:14:02 osquery-Standard-PC-i440FX-PIIX-1996 kill[1536]:                         specify the <signal> to be sent
Apr 12 22:14:02 osquery-Standard-PC-i440FX-PIIX-1996 kill[1536]:  -l, --list=[<signal>]  list all signal names, or convert one to a name
Apr 12 22:14:02 osquery-Standard-PC-i440FX-PIIX-1996 kill[1536]:  -L, --table            list all signal names in a nice table
Apr 12 22:14:02 osquery-Standard-PC-i440FX-PIIX-1996 kill[1536]:  -h, --help     display this help and exit
Apr 12 22:14:02 osquery-Standard-PC-i440FX-PIIX-1996 kill[1536]:  -V, --version  output version information and exit
Apr 12 22:14:02 osquery-Standard-PC-i440FX-PIIX-1996 kill[1536]: For more details see kill(1).
Apr 12 22:14:02 osquery-Standard-PC-i440FX-PIIX-1996 systemd[1]: fleet.service: Control process exited, code=exited, status=1/FAILURE
Apr 12 22:14:02 osquery-Standard-PC-i440FX-PIIX-1996 systemd[1]: fleet.service: Failed with result 'exit-code'.
n
Which made me curious that i have other application residing on the same server and it did startup at reboot
What exactly started up at reboot? Fleet or your other applications?
p
Other applications configured on the same server
And I enable Fleet to restart at reboot.....Seem that's not the case
n
@proxx Are you still experiencing the same issue in which Fleet fails to restart when your server reboots?
p
No... So i discovered that my server.cert was missing . Had to re-copy the certificate to to the path where the certificate was generated.
n
Awesome, glad you discovered this. Again, thank you for your comments on improving flag file documentation. Calling out the areas of the docs that are lacking is very helpful.
p
The pleasure is all mine.
I don't know if your developers have integrated Fleet with Elasticsearch.
n
What do you mean exactly when you use the word “integrated?” Are you referring to the ability to ship logs from Fleet to Elasticsearch?
p
Yes ship logs from Fleet to Elasticsearch
n
There’s currently no way to ship logs directly from Fleet to Elasticsearch. Typically, folks will ship logs to Amazon Kinesis Data Firehouse or other log plugins supported by Fleet (documentation is here). They’ll then use these tools to then ship data to data aggregation solutions like Elasticsearch or Splunk
10 Views
Open in Slack
PreviousNext
Powered by