Anyone have some ideas as to why osquery clients would show osquery #kolide

Anyone have some ideas as to why osquery clients w...

Arden Shackelford

10/28/2020, 1:06 AM

Anyone have some ideas as to why osquery clients would show up in Koilde initially, but almost immediately show as offline and never come back?

osquery

is already running in

--verbose

. The

osqueryd

logs only really show this over and over:

Copy code

I1027 19:57:23.884093 183284 tls.cpp:254] TLS/HTTPS POST request to URI: <https://fleet.my-domain.net:443>
I1027 19:57:24.906713 183284 tls.cpp:254] TLS/HTTPS POST request to URI: <https://fleet.my-domain.net:443>
I1027 19:57:28.928059 183284 tls.cpp:254] TLS/HTTPS POST request to URI: <https://fleet.my-domain.net:443>
I1027 19:58:28.953825 183284 tls.cpp:254] TLS/HTTPS POST request to URI: <https://fleet.my-domain.net:443>
I1027 19:58:29.978402 183284 tls.cpp:254] TLS/HTTPS POST request to URI: <https://fleet.my-domain.net:443>
I1027 19:58:33.999696 183284 tls.cpp:254] TLS/HTTPS POST request to URI: <https://fleet.my-domain.net:443>
I1027 19:59:34.024101 183284 tls.cpp:254] TLS/HTTPS POST request to URI: <https://fleet.my-domain.net:443>
I1027 19:59:35.051534 183284 tls.cpp:254] TLS/HTTPS POST request to URI: <https://fleet.my-domain.net:443>
I1027 19:59:39.074244 183284 tls.cpp:254] TLS/HTTPS POST request to URI: <https://fleet.my-domain.net:443>

zwass

10/28/2020, 1:48 AM

Use

--tls_dump

to see the requests and responses.

Arden Shackelford

10/28/2020, 2:49 AM

Hmm. Looks like now in the

stdout

I've got the responses, which contains what looks like to be HTML, so maybe I need to set another url parameter that I've missed somewhere? Here are the args I'm currently passing:

Copy code

args    = [
          "--config_path=/secrets/osquery.conf",
          "--pidfile=/alloc/data/osqueryd.pidfile",
          "--logger_path=${env["NOMAD_ALLOC_DIR"]}/logs",
          "--database_path=${env["NOMAD_ALLOC_DIR"]}/data",
          "--enroll_tls_endpoint=/api/v1/osquery/enroll",
          "--enroll_secret_env=OSQUERY_ENROLL_SECRET",
          "--host_identifier=hostname",
          "--disable_events=false",
          "--tls_server_certs=/etc/ssl/certs/ca-bundle.crt",
          "--tls_dump",
          "--verbose"
        ]
      }

Then in the config file I'm setting the

tls_hostname

to the

<http://fleet.my-domain.net|fleet.my-domain.net>

Arden Shackelford

10/28/2020, 2:53 AM

I've got the Fleet container resting behind Traefik

zwass

10/28/2020, 3:42 PM

You probably need the other

_api_endpoint

flags.

Arden Shackelford

10/28/2020, 5:26 PM

Alrighty, in a better place now. Guess Nomad (or HashiCorp in general) has spoiled me with sane defaults being in place 😛 Ensured I had the following and it seems to better now:

Copy code

"config_tls_endpoint": "/api/v1/osquery/config",
        "enroll_tls_endpoint": "/api/v1/osquery/enroll",
        "distributed_tls_read_endpoint": "/api/v1/osquery/distributed/read",
        "distributed_tls_write_endpoint": "/api/v1/osquery/distributed/write",
        "logger_tls_endpoint": "/api/v1/osquery/log",
        "distributed_plugin": "tls",
        "distributed_interval": "10",
        "disable_distributed": false,

Arden Shackelford

10/28/2020, 5:27 PM

Thanks for the tip on the additional

_api_endpoint

that got me looking a little more closely at a few places.

Open in Slack

Previous Next