https://github.com/osquery/osquery logo
Join Slack
Powered by
As always, love the new releases :slightly_smiling...
# fleet
n
As always, love the new releases 🙂 Currently testing 3.8.0 and have some feedback <thread>
Love the new host search / host details page 🙂
But I'm wondering how the fields are populated... For example: "Uptime" shows "a few seconds", but my host has actually been up for ~4.5 hours. *osquery*'s uptime may only have been a few seconds, but this is a confusing way to represent this on the page, especially when there's also a 'last seen' field.
IPv4 isn't getting populated for me so that's curious. I don't know where the query is for that to go check right away.
I have 
--config_refresh
as 60 in flag file, and 300 in fleet's options, but 
Config TLS refresh
shows 0. Not sure what's up with that.
"Logger TLS period" shows 0, but it may be more accurate to show the 
--aws_kinesis_period
, because I'm using the 
aws_kinesis
logger plugin
My understanding is that things these were all "builtin labels" previously: • All Hosts • macOS • Ubuntu Linux • CentOS Linux • MS Windows However, these don't show as labels on the host detail page for relevant hosts. It's just slightly weird to not show that detail anywhere. 🤷‍♀️ nitpicky probably
I really like that it shows which packs apply to the host! I wish I could also easily see which queries within a pack apply to that host (maybe by a folding / drop-down type deal or a link to another page) ?
idk I literally just deployed this in a test environment recently, so that's all I've got for now.
🍻 2
z
I am going to go through this and respond and/or file issues as appropriate.
d
I am seeing the IPv4 issues as well
n
FWIW I see IPs on some hosts but missing on ... a lot of them.
Edit: re: labels for the host... 🤦‍♀️ I think I was just looking at a host where it didn't apply, actually. (e.g., it was a linux host, but not centos / ubuntu host)
Oh extra feedback around "IPv4": I have some hosts showing IPv6 addresses in the "IPv4" column, which is fine, I guess, if slightly inaccurate 🤷‍♀️
z
Regarding labels, seems like it would be useful to you to also see the built in labels?
n
re: labels: I don't think there's anything necessarily needed. Seems built-in labels are shown already (except All Host but... 🤷‍♀️ that's not a useful label to show)
z
re config_refresh @nyanshak, can you live query the host with the value of 0 and see what you get for 
select name, value from osquery_flags where name in ("distributed_interval", "config_tls_refresh", "config_refresh", "logger_tls_period")
?
I noticed that on the hosts where I could see this they actually had a value of 0 because it was not set in the flagfile nor in the Fleet config and the default (to my surprise) is 0.
n
oh huh that's... really weird. What is the behavior when these are set to 0? Do they just never refresh settings?
and I would have thought that fleet options overrode this as well 🤔
z
My understanding is that the default is "get a config on startup and never again"
Configs returned from Fleet do override the config_refresh value. So the unexpected case would be if osquery starts up with no value set and the first config retrieved doesn't set it. Then you'll never get a config update on that host.
(except when osqueryd starts up)
n
if osquery starts up with no value set and the first config retrieved doesn't set it
Assuming I have fleet configured to always return this option for all hosts... Is there any case where osquery is configured to get config from fleet (but its flag file doesn't have values for this), and it only gets config once / never gets a proper config?
z
I can't think of any case that would occur besides for if the host had no internet connectivity.
n
👍 that's good
z
I did find some other cases where the config_refresh value might not update appropriately and fixed them in https://github.com/fleetdm/fleet/pull/388.
Can anyone verify whether a host "missing" IP has any IPs available if you live query 
network_interfaces
?
Also, does a host with a missing IP have a valid MAC or is that also missing?
d
you still need this @zwass
z
Ah no I think I found the issue.
👍 1
6 Views
Open in Slack
PreviousNext
Powered by