https://github.com/osquery/osquery logo
Join Slack
Powered by
#418 Make enrollment cooldown configurable <thr...
# fleet
n
#418 Make enrollment cooldown configurable <thread>
If 
osquery_host_identifier
 is set to 
instance
, is there any benefit to also setting 
osquery_enroll_cooldown
 to anything other than the default (
0
)?
z
Possibly you could get into a scenario in which an osquery database was copied to multiple hosts and then they are all using the same instance identifier
n
Ah right, that scenario. Well at least it beats the current one.
Do you have any idea where in osquery source the "send this extra info" lives?
I want to try to track down the version
wait, found it, it's in 
osquery/plugins/remote/enroll/tls_enroll.cpp
https://github.com/osquery/osquery/pull/3675 So I think this was in 
2.8.0+
z
Yeah that looks right to me.
Hopefully 
osquery_enroll_cooldown
is used rarely if ever now. I'm tempted to remove it entirely but it could be a good escape valve if someone ends up in that bad scenario.
n
I actually figured it would be good to have it set (not sure what good value would be) so that you would at least see logs when you get into this scenario.
Like if someone copies osquery db, at least you could know that it's happening.
z
Ah yes but I think folks were running into issues with it spuriously due to https://github.com/osquery/osquery/issues/6993.
n
😢 what a twisted issue this is
z
Yeah, 😢 is right
I've been chasing the whole thing in circles for a while now
n
OK, then I will leave cooldown as 0, even though I am disappointed that I won't know about that one specific case.
🤷‍♀️ great work chasing it, pretty frustrating issue
z
Hopefully we can resolve that osquery issue and then get that cooldown back on
n
Depends on the issue / also requires getting all osquery clients up to date everywhere 😉 Auto-updater will help for this.
Last question and I think I know the answer... osquery ignores fleet's 
--host_identifier
, so even though fleet will have unique values for each osquery host, osquery will still send logs with 
hostIdentifier
set to whatever osquery specifies. So there could still be a bit of confusion when trying to correlate logs to fleet hosts, right? And would the situation be any better if the log destination was set to fleet? I'm assuming not, because it would be processing-intensive operation to parse & rewrite all the logs.
z
Fleet doesn't try to address that at the moment. If you use 
hostIdentifier
to identify the osquery logs (rather than some decorator value) you'll want to configure it appropriately on the clients regardless of Fleet's value.
n
sorry to ask so many questions about this... what is the advantage of 
instance
over 
uuid
/ why is this the recommended approach? presumably you would never have duplicates for 
uuid
(except maybe if you copy the osquery DB?)
z
We've seen folks deploy multiple copies of a VM that report the same UUID and that causes a similar issue.
n
Ah right, thanks for all the help
🥳
2 Views
Open in Slack
PreviousNext
Powered by