hello. i configured osquery to use the aws_firehose logger plugin (

--logger_plugin=aws_firehose

). it had been working fine for a couple years, but i recently started seeing the following in the logs:

<snip> aws_util.cpp:223] Exception making HTTP POST request to URL (<https://firehose>.<region>.<http://amazonaws.com|amazonaws.com>): certificate verify failed
<snip> aws_log_forwarder.h:219] aws_firehose: Successfully sent 1 out of 1 log records

i confirmed that the cert has not expired. despite the log line saying that logs were successfully sent, they do not actually end up in aws_firehose. i found this bug, which appears to be related. the bug has been closed, but i guess the fix won’t hit until milestone 5.4.0? while waiting for 5.4.0 to be released, do i need to downgrade to 5.2.3? is there anything else i can do in the meantime?

Hello @mcantu I would say that waiting to update o revert to a version before that change is the only solution

thanks, @Stefano Bonicatti. when i reverted to 5.2.3 on one of the linux endpoints, i noticed a bunch of the following errors when i attempted to start osqueryd.

$ sudo osqueryctl start
I0629 22:22:01.838433  2265 rocksdb.cpp:67] RocksDB: [WARN] [db/db_impl/db_impl_open.cc:1846] Persisting Option File error: OK
I0629 22:22:01.838570  2265 rocksdb.cpp:149] Rocksdb open failed (4:0) Invalid argument: Column families not opened: distributed
I0629 22:22:02.039718  2265 rocksdb.cpp:67] RocksDB: [WARN] [db/db_impl/db_impl_open.cc:1846] Persisting Option File error: OK
I0629 22:22:02.039856  2265 rocksdb.cpp:149] Rocksdb open failed (4:0) Invalid argument: Column families not opened: distributed
<snip>

i ended up blowing away the entire

osquery.db

directory…

$ sudo rm -Rf /var/osquery/osquery.db

. then i was able to start osqueryd successfully. is there a better way to resolve the errors above?

I’d expect 5.4 to be create sometime in the next two weeks