https://github.com/osquery/osquery logo
Powered by
#kolide
Title
# kolide
a

Arden Shackelford

10/28/2020, 1:06 AM
Anyone have some ideas as to why osquery clients would show up in Koilde initially, but almost immediately show as offline and never come back? 
osquery
is already running in 
--verbose
. The 
osqueryd
logs only really show this over and over:
Copy code
I1027 19:57:23.884093 183284 tls.cpp:254] TLS/HTTPS POST request to URI: <https://fleet.my-domain.net:443>
I1027 19:57:24.906713 183284 tls.cpp:254] TLS/HTTPS POST request to URI: <https://fleet.my-domain.net:443>
I1027 19:57:28.928059 183284 tls.cpp:254] TLS/HTTPS POST request to URI: <https://fleet.my-domain.net:443>
I1027 19:58:28.953825 183284 tls.cpp:254] TLS/HTTPS POST request to URI: <https://fleet.my-domain.net:443>
I1027 19:58:29.978402 183284 tls.cpp:254] TLS/HTTPS POST request to URI: <https://fleet.my-domain.net:443>
I1027 19:58:33.999696 183284 tls.cpp:254] TLS/HTTPS POST request to URI: <https://fleet.my-domain.net:443>
I1027 19:59:34.024101 183284 tls.cpp:254] TLS/HTTPS POST request to URI: <https://fleet.my-domain.net:443>
I1027 19:59:35.051534 183284 tls.cpp:254] TLS/HTTPS POST request to URI: <https://fleet.my-domain.net:443>
I1027 19:59:39.074244 183284 tls.cpp:254] TLS/HTTPS POST request to URI: <https://fleet.my-domain.net:443>
z

zwass

10/28/2020, 1:48 AM
Use 
--tls_dump
to see the requests and responses.
a

Arden Shackelford

10/28/2020, 2:49 AM
Hmm. Looks like now in the 
stdout
I've got the responses, which contains what looks like to be HTML, so maybe I need to set another url parameter that I've missed somewhere? Here are the args I'm currently passing:
Copy code
args    = [
          "--config_path=/secrets/osquery.conf",
          "--pidfile=/alloc/data/osqueryd.pidfile",
          "--logger_path=${env["NOMAD_ALLOC_DIR"]}/logs",
          "--database_path=${env["NOMAD_ALLOC_DIR"]}/data",
          "--enroll_tls_endpoint=/api/v1/osquery/enroll",
          "--enroll_secret_env=OSQUERY_ENROLL_SECRET",
          "--host_identifier=hostname",
          "--disable_events=false",
          "--tls_server_certs=/etc/ssl/certs/ca-bundle.crt",
          "--tls_dump",
          "--verbose"
        ]
      }
Then in the config file I'm setting the 
tls_hostname
to the 
<http://fleet.my-domain.net|fleet.my-domain.net>
I've got the Fleet container resting behind Traefik
z

zwass

10/28/2020, 3:42 PM
You probably need the other 
_api_endpoint
flags.
a

Arden Shackelford

10/28/2020, 5:26 PM
Alrighty, in a better place now. Guess Nomad (or HashiCorp in general) has spoiled me with sane defaults being in place 😛 Ensured I had the following and it seems to better now:
Copy code
"config_tls_endpoint": "/api/v1/osquery/config",
        "enroll_tls_endpoint": "/api/v1/osquery/enroll",
        "distributed_tls_read_endpoint": "/api/v1/osquery/distributed/read",
        "distributed_tls_write_endpoint": "/api/v1/osquery/distributed/write",
        "logger_tls_endpoint": "/api/v1/osquery/log",
        "distributed_plugin": "tls",
        "distributed_interval": "10",
        "disable_distributed": false,
Thanks for the tip on the additional 
_api_endpoint
that got me looking a little more closely at a few places.
Powered by