Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
n
nyanshak
02/26/2021, 9:00 PMAs always, love the new releases 🙂 Currently testing 3.8.0 and have some feedback <thread>
Love the new host search / host details page 🙂
But I'm wondering how the fields are populated...
For example: "Uptime" shows "a few seconds", but my host has actually been up for ~4.5 hours. *osquery*'s uptime may only have been a few seconds, but this is a confusing way to represent this on the page, especially when there's also a 'last seen' field.
IPv4 isn't getting populated for me so that's curious. I don't know where the query is for that to go check right away.
I have
--config_refreshConfig TLS refresh"Logger TLS period" shows 0, but it may be more accurate to show the
--aws_kinesis_periodaws_kinesisMy understanding is that things these were all "builtin labels" previously:
• All Hosts
• macOS
• Ubuntu Linux
• CentOS Linux
• MS Windows
However, these don't show as labels on the host detail page for relevant hosts. It's just slightly weird to not show that detail anywhere. 🤷♀️ nitpicky probably
I really like that it shows which packs apply to the host!
I wish I could also easily see which queries within a pack apply to that host (maybe by a folding / drop-down type deal or a link to another page) ?
idk I literally just deployed this in a test environment recently, so that's all I've got for now.
🍻 2
z
zwass
02/26/2021, 9:17 PMI am going to go through this and respond and/or file issues as appropriate.
d
defensivedepth
02/26/2021, 9:30 PMI am seeing the IPv4 issues as well
n
nyanshak
02/26/2021, 9:38 PMFWIW I see IPs on some hosts but missing on ... a lot of them.
Edit: re: labels for the host... 🤦♀️ I think I was just looking at a host where it didn't apply, actually. (e.g., it was a linux host, but not centos / ubuntu host)
Oh extra feedback around "IPv4": I have some hosts showing IPv6 addresses in the "IPv4" column, which is fine, I guess, if slightly inaccurate 🤷♀️
z
zwass
02/26/2021, 10:52 PMConfig refresh: https://github.com/fleetdm/fleet/issues/357
Regarding labels, seems like it would be useful to you to also see the built in labels?
n
nyanshak
02/27/2021, 9:35 PMre: labels: I don't think there's anything necessarily needed. Seems built-in labels are shown already (except All Host but... 🤷♀️ that's not a useful label to show)
z
zwass
03/04/2021, 6:12 PMre config_refresh @nyanshak, can you live query the host with the value of 0 and see what you get for
select name, value from osquery_flags where name in ("distributed_interval", "config_tls_refresh", "config_refresh", "logger_tls_period")I noticed that on the hosts where I could see this they actually had a value of 0 because it was not set in the flagfile nor in the Fleet config and the default (to my surprise) is 0.
n
nyanshak
03/04/2021, 6:14 PMoh huh that's... really weird. What is the behavior when these are set to 0? Do they just never refresh settings?
and I would have thought that fleet options overrode this as well 🤔
z
zwass
03/04/2021, 7:47 PMMy understanding is that the default is "get a config on startup and never again"
Configs returned from Fleet do override the config_refresh value. So the unexpected case would be if osquery starts up with no value set and the first config retrieved doesn't set it. Then you'll never get a config update on that host.
(except when osqueryd starts up)
n
nyanshak
03/05/2021, 12:18 AMif osquery starts up with no value set and the first config retrieved doesn't set itAssuming I have fleet configured to always return this option for all hosts... Is there any case where osquery is configured to get config from fleet (but its flag file doesn't have values for this), and it only gets config once / never gets a proper config?
z
zwass
03/05/2021, 12:24 AMI can't think of any case that would occur besides for if the host had no internet connectivity.
n
nyanshak
03/05/2021, 12:25 AM👍 that's good
z
zwass
03/05/2021, 2:23 AMI did find some other cases where the config_refresh value might not update appropriately and fixed them in https://github.com/fleetdm/fleet/pull/388.
Can anyone verify whether a host "missing" IP has any IPs available if you live query
network_interfacesAlso, does a host with a missing IP have a valid MAC or is that also missing?
d
defensivedepth
03/09/2021, 5:12 PMyou still need this @zwass
z
zwass
03/09/2021, 5:12 PMAh no I think I found the issue.
👍 1