Title
#fleet
w

Wojtek

12/14/2020, 10:19 AM
I am getting a lot of 'host identified by XXXXXX enrolling too often", how I can prevent that ?
Noah Talerman

Noah Talerman

12/14/2020, 5:13 PM
In Fleet 3.5.0 we introduced a host enrollment cooldown period. The logging you’re experiencing was also introduced in the above linked PR. As mentioned in the PR, we’re willing to explore rate limiting if the logging becomes an issue. How is the new logging negatively effecting your Fleet usage/experience?
zwass

zwass

12/14/2020, 5:51 PM
@Wojtek this indicates that you have multiple hosts using the same identifier to enroll with Fleet, and you are likely missing some visibility due to this. Please see the information in https://github.com/fleetdm/fleet/issues/102#issuecomment-740220106 to determine what the cause and potential fix may be.
w

Wojtek

12/15/2020, 10:54 AM
Thanks for updates. I had some weird issues since I was deploying different versions on an on. Its just fine now at least from enrolling point of view.
r

Ryan

01/18/2021, 5:22 PM
@zwass I’m also seeing this issue now, with a handful of hosts, I can see in the logs the hostname and IP addresses are correct, it doesn’t look like duplicate VMs, more that they were spamming Fleet whilst it was being migrated to 3.6.0, and they seem to have gotten stuck in this state now. Is there any way to increase this cooldown period, or some other mechanism I can use to recover those hosts?
zwass

zwass

01/19/2021, 12:06 AM
Do the logs indicate that these are coming from the same IP?
r

Ryan

01/20/2021, 10:41 AM
Yeah, that’s right 👍
2:45 PM
So weirdly, checking today, it appears to have stabilised. I wonder if it was because I had upgraded, and restarted, that essentially every node started checking in several times because they weren’t getting a response promptly?
zwass

zwass

01/20/2021, 3:28 PM
Osquery shouldn't do that, and a period of lack of connectivity should not cause osquery to re-enroll (as long as the node key remains valid). If you see this again can you try running that osqueryd with
--tls_dump
and get an idea of what the traffic looks like between the server and client?
r

Ryan

01/20/2021, 4:11 PM
ok, thanks I’ll give it a try 👍
4:12 PM
it’s possible that these hosts have never successfully enrolled then?
4:12 PM
I have an … eclectic mix of hosts and OS versions
zwass

zwass

01/20/2021, 4:20 PM
It seems... possible? I'd take a look at the tls_dump logs and see if you can make anything more of it from that.
👍 1
r

Ryan

01/20/2021, 4:36 PM
thanks again 😃