418 Make enrollment cooldown configurable lt thread gt

Question

nyanshak · Answer

If `osquery host identifier` is set to `instance` is there any benefit to also setting `osquery enroll cooldown` to anything other than the default `0`

zwass · Answer

Possibly you could get into a scenario in which an osquery database was copied to multiple hosts and then they are all using the same instance identifier

nyanshak · Answer

Ah right that scenario Well at least it beats the current one

nyanshak · Answer

Do you have any idea where in osquery source the send this extra info lives

nyanshak · Answer

I want to try to track down the version

nyanshak · Answer

wait found it it s in `osquery plugins remote enroll tls enroll cpp`

nyanshak · Answer

<https github com osquery osquery pull 3675> So I think this was in `2 8 0+`

zwass · Answer

Yeah that looks right to me

zwass · Answer

Hopefully `osquery enroll cooldown` is used rarely if ever now I m tempted to remove it entirely but it could be a good escape valve if someone ends up in that bad scenario

nyanshak · Answer

I actually figured it would be good to have it set not sure what good value would be so that you would at least see logs when you get into this scenario

nyanshak · Answer

Like if someone copies osquery db at least you could know that it s happening

zwass · Answer

Ah yes but I think folks were running into issues with it spuriously due to <https github com osquery osquery issues 6993>

nyanshak · Answer

cry what a twisted issue this is

zwass · Answer

Yeah cry is right

zwass · Answer

I ve been chasing the whole thing in circles for a while now

nyanshak · Answer

OK then I will leave cooldown as 0 even though I am disappointed that I won t know about that one specific case

nyanshak · Answer

woman shrugging great work chasing it pretty frustrating issue

zwass · Answer

Hopefully we can resolve that osquery issue and then get that cooldown back on

nyanshak · Answer

Depends on the issue also requires getting all osquery clients up to date everywhere wink Auto updater will help for this

nyanshak · Answer

Last question and I think I know the answer osquery ignores fleet s ` host identifier` so even though fleet will have unique values for each osquery host osquery will still send logs with `hostIdentifier` set to whatever osquery specifies So there could still be a bit of confusion when trying to correlate logs to fleet hosts right And would the situation be any better if the log destination was set to fleet I m assuming not because it would be processing intensive operation to parse amp rewrite all the logs

zwass · Answer

Fleet doesn t try to address that at the moment If you use `hostIdentifier` to identify the osquery logs rather than some decorator value you ll want to configure it appropriately on the clients regardless of Fleet s value

nyanshak · Answer

sorry to ask so many questions about this what is the advantage of `instance` over `uuid` why is this the recommended approach presumably you would never have duplicates for `uuid` except maybe if you copy the osquery DB

zwass · Answer

We ve seen folks deploy multiple copies of a VM that report the same UUID and that causes a similar issue

nyanshak · Answer

Ah right thanks for all the help

nyanshak · Answer

partying face