Title
#fleet
SK

SK

02/24/2021, 10:56 AM
Hey all, quick question, seeing this error in the Fleet logs
enroll failed: no matching secret found
this means that the enroll_secret in the osquery agent is for some reason not correct right?
zwass

zwass

02/24/2021, 4:15 PM
Yes. Usually easiest to debug this by running osqueryd with
--verbose --tls_dump
and see what it's trying to send as the secret.
SK

SK

02/24/2021, 4:31 PM
Thanks @zwass will need to hunt down the system in our fleet that is doing this. 😄
zwass

zwass

02/24/2021, 4:37 PM
Is this a log on the Fleet server? Hopefully the log includes an IP the request came from to help you out 🙂
SK

SK

02/24/2021, 4:38 PM
The IP I get and it would have been useful if the proxy hadn't messed with it 😄 😮
zwass

zwass

02/24/2021, 4:41 PM
I think we also log the x-forwarded-for if your proxy sets that
SK

SK

02/24/2021, 7:57 PM
Yes true, but because the proxy is not intervening it does not add the x-forward-for header. I see in the log there is a host identifier, maybe an idea to also add like the Osquery agent IP that it gets from Osquery just like the host identifier, that way you always have the tru source and not depending on the systems inbetween Osquery and Fleet.