Hey all, quick question, seeing this error in the Fleet logs

enroll failed: no matching secret found

this means that the enroll_secret in the osquery agent is for some reason not correct right?

Yes. Usually easiest to debug this by running osqueryd with

--verbose --tls_dump

and see what it's trying to send as the secret.

Thanks @zwass will need to hunt down the system in our fleet that is doing this. 😄

Is this a log on the Fleet server? Hopefully the log includes an IP the request came from to help you out 🙂

The IP I get and it would have been useful if the proxy hadn't messed with it 😄 😮

I think we also log the x-forwarded-for if your proxy sets that

Yes true, but because the proxy is not intervening it does not add the x-forward-for header. I see in the log there is a host identifier, maybe an idea to also add like the Osquery agent IP that it gets from Osquery just like the host identifier, that way you always have the tru source and not depending on the systems inbetween Osquery and Fleet.