Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
d
defensivedepth
01/20/2021, 9:59 PMAny ideas on how to troubleshoot this further?
z
zwass
01/20/2021, 10:20 PMSee https://github.com/kolide/launcher/issues/445#issuecomment-762975944. We can't really do anything on the Fleet side since the data never touches us.
s
seph
01/21/2021, 3:53 AMI updated https://github.com/kolide/launcher/pull/481 as an approach to handling this.
But I don’t have a way to test this.
:ty: 1
Do you have enough of a test bed, that you can test a build? (and if so, can you build that branch, or do you want me to?)
d
defensivedepth
01/21/2021, 7:52 PMFirst off, thanks @zwass @seph for looking into this more. The user on that thread (B3DTech) is using osquery with Security Onion and posted that error over on our support forum, which is why I brought it up over here. I actually havent been able to duplicate the issue on my side.
I will carve out some more time next week to see if I can replicate it and then eventually test that branch
s
seph
01/21/2021, 7:54 PMCool. Thanks!
Feel free to update the PR if it seems reasonable to you
👍 1
d
defensivedepth
01/29/2021, 10:13 PMSo the good news here is that Launcher was still trying to send mis-formatted osquery logs (from when they had osquery < 4.5.1 installed); once we blew away the rocksdb, we can't reproduce the utf8 errors.
s
seph
01/31/2021, 12:40 AMOkay, I’m glad that the underlying bug in osquery seems fixed. I think there’s still thing weird in launcher — if it can’t send a log, it gets stuck, But this is somewhat intentional — it’s designed not to lose information
👍 1