Anyone encountered osqueryd running service but host enrolle osquery #fleet

Anyone encountered osqueryd running service but ho...

proxx

04/07/2021, 10:46 PM

Anyone encountered osqueryd running service but host enrolled is offline on the fleet manager. I have tried to to run osqueryd as a service but no headway.

Noah Talerman

04/07/2021, 11:25 PM

Hi @proxx Usually easiest way to debug enrollment issues is by running osqueryd with

--verbose --tls_dump

. Do you mind running osqueryd with these flags and pasting the output in this thread?

proxx

04/09/2021, 1:38 PM

So after i ran the command i got this

proxx

04/09/2021, 1:39 PM

I0409 14:35:13.475466  3271 tls.cpp:255] TLS/HTTPS POST request to URI: <https://192.168.1.114:8080/api/v1/osquery/distributed/read>

{"node_key":"Sfb2QZXTeZw8503KkviGMOXF1tVXRBtv"}

"error": "retrieve live queries: scan active queries: scan keys: dial tcp 192.168.1.114:6379: connect: connection refused"

Noah Talerman

04/09/2021, 6:22 PM

It seems like there is a connection error with your redis instance (assuming the port refusing connection is redis). I’m not positive on what the next steps for debugging this connection error are. Attempting to get better next steps for you now.

proxx

04/10/2021, 8:54 AM

Do I have to install redis on the host i'm trying to enroll

proxx

04/10/2021, 10:33 AM

So I was able to resolve it. I had to copy the config in flagfile.txt that was downloaded from the fleet dashboard to osquery.flag. and I was able to enroll successfully and without it going offline.

🍻 1

Noah Talerman

04/12/2021, 6:38 PM

Glad you were able to resolve the enrollment issue!

Noah Talerman

04/12/2021, 6:39 PM

Before you downloaded the

flagfile.txt

, what were you using to manage flags for osqueryd? Did you include the flags in the osqueryd launch command as documented here? https://github.com/fleetdm/fleet/blob/master/docs/2-Deployment/3-Adding-hosts.md#launching-osqueryd

Noah Talerman

04/12/2021, 6:39 PM

I’m trying to determine how we can improve the host enrollment documentation using the steps you took to resolve the issue.

proxx

04/12/2021, 9:18 PM

So basically I ran service as a daemon which was not effective so all I did was to create osquery.flags and copy the content in flag file.txt.

proxx

04/12/2021, 9:20 PM

So the best way i think you can help is to add a README.txt guiding on how to use the flag file.

👍 1

proxx

04/12/2021, 9:24 PM

So I have an issue, my fleet couldn't start after not properly shutting down my server. Which made me curious that i have other application residing on the same server and it did startup at reboot

proxx

04/12/2021, 9:24 PM

See error below

proxx

04/12/2021, 9:25 PM

fleet.service - Fleet Osquery Fleet Manager

Loaded: loaded (/etc/systemd/system/fleet.service; enabled; vendor preset: enabled)

Active: failed (Result: exit-code) since Mon 2021-04-12 22:14:02 WAT; 10s ago

Process: 1527 ExecStart=/usr/local/bin/fleet serve -c /etc/fleet/fleet.yml (code=exited, status=0/SUCCESS)

Process: 1536 ExecStop=/bin/kill -15 $(ps aux | grep fleet serve | grep -v grep | awk {print$2}) (code=exited, status=1/FAILURE)

Main PID: 1527 (code=exited, status=0/SUCCESS)

Apr 12 22:14:02 osquery-Standard-PC-i440FX-PIIX-1996 kill[1536]:  <pid> [...]            send signal to every <pid> listed

Apr 12 22:14:02 osquery-Standard-PC-i440FX-PIIX-1996 kill[1536]:  -<signal>, -s, --signal <signal>

Apr 12 22:14:02 osquery-Standard-PC-i440FX-PIIX-1996 kill[1536]:                         specify the <signal> to be sent

Apr 12 22:14:02 osquery-Standard-PC-i440FX-PIIX-1996 kill[1536]:  -l, --list=[<signal>]  list all signal names, or convert one to a name

Apr 12 22:14:02 osquery-Standard-PC-i440FX-PIIX-1996 kill[1536]:  -L, --table            list all signal names in a nice table

Apr 12 22:14:02 osquery-Standard-PC-i440FX-PIIX-1996 kill[1536]:  -h, --help     display this help and exit

Apr 12 22:14:02 osquery-Standard-PC-i440FX-PIIX-1996 kill[1536]:  -V, --version  output version information and exit

Apr 12 22:14:02 osquery-Standard-PC-i440FX-PIIX-1996 kill[1536]: For more details see kill(1).

Apr 12 22:14:02 osquery-Standard-PC-i440FX-PIIX-1996 systemd[1]: fleet.service: Control process exited, code=exited, status=1/FAILURE

Apr 12 22:14:02 osquery-Standard-PC-i440FX-PIIX-1996 systemd[1]: fleet.service: Failed with result 'exit-code'.

Noah Talerman

04/12/2021, 10:07 PM

Which made me curious that i have other application residing on the same server and it did startup at reboot

What exactly started up at reboot? Fleet or your other applications?

proxx

04/13/2021, 12:01 AM

Other applications configured on the same server

proxx

04/13/2021, 12:01 AM

And I enable Fleet to restart at reboot.....Seem that's not the case

Noah Talerman

04/13/2021, 3:55 PM

@proxx Are you still experiencing the same issue in which Fleet fails to restart when your server reboots?

proxx

04/13/2021, 8:58 PM

No... So i discovered that my server.cert was missing . Had to re-copy the certificate to to the path where the certificate was generated.

Noah Talerman

04/13/2021, 9:22 PM

Awesome, glad you discovered this. Again, thank you for your comments on improving flag file documentation. Calling out the areas of the docs that are lacking is very helpful.

proxx

04/13/2021, 9:46 PM

The pleasure is all mine.

proxx

04/13/2021, 9:47 PM

I don't know if your developers have integrated Fleet with Elasticsearch.

Noah Talerman

04/14/2021, 4:04 PM

What do you mean exactly when you use the word “integrated?” Are you referring to the ability to ship logs from Fleet to Elasticsearch?

proxx

04/15/2021, 12:47 PM

Yes ship logs from Fleet to Elasticsearch

Noah Talerman

04/15/2021, 5:10 PM

There’s currently no way to ship logs directly from Fleet to Elasticsearch. Typically, folks will ship logs to Amazon Kinesis Data Firehouse or other log plugins supported by Fleet (documentation is here). They’ll then use these tools to then ship data to data aggregation solutions like Elasticsearch or Splunk

8 Views

Open in Slack

Previous Next