Hello everyone! Please tell me what could be the reason for such errors? I see there is a problem with websockets, but I am not quite sure how to fix it. We use Nginx as LB before Fleet, as far as I know, websockets are included there. Actually, I started digging this question due to the fact that I noticed the incorrect execution of interactive queries in the GUI of the Fleet. For example, more than 3k hosts are online, but the results for the simplest query “osquery_info” come from less than a one thousand. distributed_interval is set at 30 seconds. logger_tls_period is 10 seconds. I don’t see any other errors in the browser console and Nginx during the request. An interesting point: the query results are returned within about 10 seconds after the request is sent, then the flit hangs a little and no longer returns new results, although the waiting time can be 10 minutes or more.

Are you able to successfully run this query via

fleetctl

? We sometimes see the browser UI having trouble rendering large result sets (though this doesn't sound like a particularly large result set). Looking at your error message though it does seem likely to be a websocket issue -- possibly a misconfiguration of nginx. Are you able to look in the network tab of the dev tools and see whether there is a successful websocket connection?

@zwass thank you for your answer! Yes, you’re right, we have no websocket connection. When we remove nginx, the connection is established without any problems. Could you help please with right nginx options so we can fix this problem? I can show you our current config in DM.

Can you share here redacting any confidential info? I am not super familiar with nginx but I know lots of folks here use it successfully with Fleet. I will still try to help.

@zwass ok, I agree. Our nginx config is based on the article https://defensivedepth.com/2020/04/02/kolide-fleet-breaking-out-the-osquery-api-web-ui/ Our goal was to separate the ports for sending messages from the server and the web administration interface (to which we were later paired with 2FA).

@defensivedepth don't wanna bother you, but I see your config is being used here and perhaps you know what the issue might be?

I dont see the grpc passes?

Maybe @Artem is using plain osquery (not Launcher)?

ya possibly

@zwass yes, you’re right again, now we use native osquery with fleet. But we are testing the launcher too.

Sounds like you will probably need to use the recommendations from both of us to resolve the issue. Good luck 🙂

Adding these options to the second location helped, missed this point. Thank you so much @zwass @defensivedepth! You are cool! Now we get query results from all users who are online. Plus, now the results are added smoother, without jumps of 100-200 users per second.