Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
d
Dan Achin
03/29/2021, 5:17 PMHello Fleet - has anyone here seen high rates of 400 errors logged in Fleet nginx for POSTS to the logging endpoint? We have a lot of clients that are never able to send data to Fleet as every POST from them is a 400 and we are wondering if this is somehow related to or the cause of massive, unexpected traffic from some of our clients to Fleet (as clients are retrying to resend the data). There's a write up of the issue here:
https://github.com/osquery/osquery/issues/7021#issuecomment-808569110
Also, are their any best practices for Fleet's nginx config? Maybe we need larger headers enabled or something
n
Noah Talerman
03/29/2021, 5:38 PMHi Dan, this writeup includes guidance on Fleet and Nginx: https://defensivedepth.com/2020/04/02/kolide-fleet-breaking-out-the-osquery-api-web-ui/
In the osquery/osquery issue writeup you’ve linked, you confirm that Fleet is configured with
--logger_tls_endpoint/api/v1/log/api/v1/osquery/logd
Dan Achin
03/29/2021, 5:59 PMoh...let me confirm that. thanks for the link
sorry, it's /api/v1/osquery/log
i'll fix that in the comment, good catch
ya, I've read that link before...and we plan to do that so that we can have the tls read / write endpoints for our laptops exposed over the internet without allowing external access to administrative apis
Also, I could have sworn fleet came with its own nginx...but maybe I'm wrong about that
@Noah Talerman - do you know if osquery will continue to try to send logs to Fleet forever if it's not getting a 200 response? I see max attempts for config
--config_tls_max_attempts=3--distributed_tls_max_attempts=3n
Noah Talerman
03/29/2021, 7:20 PMdo you know if osquery will continue to try to send logs to Fleet forever if it’s not getting a 200 response?I don’t have an immediate answer to this question. Working on getting an answer now.
d
Dan Achin
03/29/2021, 7:31 PMthanks!
n
Noah Talerman
03/29/2021, 7:35 PMWhen the logger endpoint responds with a 400 status, the logs that were attempted to be sent will be buffered on the client.
Fleet uses the
--logger_tls_periodd
Dan Achin
03/29/2021, 7:36 PMRight, that matches my understanding. so there is no setting for how many times to try before giving up...it will always keep trying
at least until the DB is cleared out
i.e. the buffered logs
n
Noah Talerman
03/29/2021, 7:42 PMit will always keep tryingCorrect
I now see how the client trying over and over again is undesirable with your setup.
What was your ideal next step when you encountered this issue? Was it to find a way to inform these osquery clients to give up?
d
Dan Achin
03/29/2021, 8:48 PMSorry @Noah Talerman, went and got lunch. It's not so much that it's undesirable, I just wanted to confirm the behavior. we are looking at everything we possibly can to try and figure out why we have clients sending GB of data every hour but hardly any of it makes it to Fleet
as I'm looking through /var/log/messages on Fleet, I see some EOF errors, like this:
2021-03-29T18:42:11.682014+00:00 servername REDACTED fleet[11900]: {"component":"http","err":"decoding JSON: unexpected EOF","ts":"2021-03-29T18:42:11.68104674Z"}We need to upgrade this env to 3.9.0 to see if that might clear up some of the duplicate / invalid node keys
Turned on debug logging at Fleet and not seeing anything in /var/log/messages that corresponds to the 400s I see in nginx access logs. So that's a data point for the 400 being generated by nginx and not upstream from fleet
👍 1
n
Noah Talerman
03/29/2021, 10:45 PMwe are looking at everything we possibly can to try and figure out why we have clients sending GB of data every hour but hardly any of it makes it to FleetGot it. Thank you for providing your updated findings. The configurable host identifier included in 3.9.0 may be helpful for duplicate enrollment. Attempting to get a better answer for why you’re seeing the EOF errors
d
Dan Achin
03/29/2021, 11:22 PMawesome, thanks
s
seph
03/29/2021, 11:26 PMYou were thinking about nginx logs? Any chance you’ve looked at them?
decoding JSON: unexpected EOFd
Dan Achin
03/29/2021, 11:37 PMyes...we have been looking at them @seph. mostly we are only getting 200s and 400s....we aren't getting any error logs so I have my team looking at that
my first thought was that those EOFs could be the cause of the 400s...but we only see a small-ish amount of the EOFs, much less than the occurrences of 400s we see.
@Noah Talerman @zwass - good news. Reduced the buffered_log_max significantly and within an hour, the bandwidth usage dropped an order of magnitude. Additionally, we are no longer seeing significant #s of 400 errors in nginx, which now leads me to believe that the message body size that nginx accepts needs to be increased. Cautiously optimistic that we are going to be able to resolve this soon.
z
zwass
03/30/2021, 9:25 PMGlad to hear it!
🙏 1