I am getting a lot of 'host identified by XXXXXX enrolling too often", how I can prevent that ?

In Fleet 3.5.0 we introduced a host enrollment cooldown period. The logging you’re experiencing was also introduced in the above linked PR. As mentioned in the PR, we’re willing to explore rate limiting if the logging becomes an issue. How is the new logging negatively effecting your Fleet usage/experience?

@Wojtek this indicates that you have multiple hosts using the same identifier to enroll with Fleet, and you are likely missing some visibility due to this. Please see the information in https://github.com/fleetdm/fleet/issues/102#issuecomment-740220106 to determine what the cause and potential fix may be.

Thanks for updates. I had some weird issues since I was deploying different versions on an on. Its just fine now at least from enrolling point of view.

@zwass I’m also seeing this issue now, with a handful of hosts, I can see in the logs the hostname and IP addresses are correct, it doesn’t look like duplicate VMs, more that they were spamming Fleet whilst it was being migrated to 3.6.0, and they seem to have gotten stuck in this state now. Is there any way to increase this cooldown period, or some other mechanism I can use to recover those hosts?

Do the logs indicate that these are coming from the same IP?

Yeah, that’s right 👍

Osquery shouldn't do that, and a period of lack of connectivity should not cause osquery to re-enroll (as long as the node key remains valid). If you see this again can you try running that osqueryd with

--tls_dump

and get an idea of what the traffic looks like between the server and client?

ok, thanks I’ll give it a try 👍

It seems... possible? I'd take a look at the tls_dump logs and see if you can make anything more of it from that.

thanks again :)