Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
k
Kathy Satterlee
03/10/2022, 8:55 PM@Dan Achin Is seeing some odd behavior when attempting to enroll new hosts using osquery flags:
We recreated the osquery.flags and the enroll secret files under
C:\Temp\osqueryconf\"C:\Program Files\osquery\osqueryd\osqueryd.exe" --flagfile="C:\Temp\osqueryconf\osquery.flags" --verbose --tls_dump<https://fleet.xxxx.net:443/api/v1/osquery/enroll> (No node key returned from TLS enroll plugin) retrying...
{
"error": "enroll failed: no matching secret found",
"node_invalid": true
}2022-03-10T19:54:06.128619+00:00 <http://xxxx.xxxx.net|xxxx.xxxx.net> fleet: {"component":"service","err":"enroll failed: no matching secret found","host_identifier":"xx-xx-xx-xx-xx","ip_addr":"xxx.x.x.x:xxxxx","level":"info","method":"EnrollAgent","took":"1.789708ms","ts":"2022-03-10T19:54:06.128302224Z","x_for_ip_addr":"xx.xxx.xx.x"}👀 1
Flags File:
@Dan Achin Can you try removing the quotes from the path for the
--enroll_secret_path🙏 1
b
Benjamin Edwards
03/10/2022, 8:59 PMI would try using env var as enroll secret to by-pass any issues reading those files (some sneaky permissions thing..)
rather than
--enroll_secret_path--enroll_secret_env=ENROLL_SECRETENROLL_SECRET=foobarsecretset ENROLL_SECRET=foobarsecretd
Dan Achin
03/10/2022, 9:18 PMThanks, will try those.
For those that weren't directly troubleshooting with us earlier today, it's worth noting that we have ~30k hosts that work fine and it's just one team having issues with Windows systems. The fact that we got farther along in the debug (vs just exiting) and are now communicating with Fleet, shows that we must not have been able to read the osquery.flags file when it existed under Program Files, even though the permissions looked correct and other internal teams are not having the issue.
👍 1
Looks like removing the quotes around the secret file path may have worked
😛artyparrot: 1
yep, that worked! We have to figure out where we want to put the files now and it's strange that our original location worked fine on some windows systems and not these...but at least we have a path forward. Thanks!
k
Kathy Satterlee
03/10/2022, 10:00 PMExcellent! That's definitely an odd one as well, but I'm glad you've got a good path forward.
👍 1