Arden Shackelford
10/28/2020, 1:06 AMosquery
is already running in --verbose
. The osqueryd
logs only really show this over and over:
I1027 19:57:23.884093 183284 tls.cpp:254] TLS/HTTPS POST request to URI: <https://fleet.my-domain.net:443>
I1027 19:57:24.906713 183284 tls.cpp:254] TLS/HTTPS POST request to URI: <https://fleet.my-domain.net:443>
I1027 19:57:28.928059 183284 tls.cpp:254] TLS/HTTPS POST request to URI: <https://fleet.my-domain.net:443>
I1027 19:58:28.953825 183284 tls.cpp:254] TLS/HTTPS POST request to URI: <https://fleet.my-domain.net:443>
I1027 19:58:29.978402 183284 tls.cpp:254] TLS/HTTPS POST request to URI: <https://fleet.my-domain.net:443>
I1027 19:58:33.999696 183284 tls.cpp:254] TLS/HTTPS POST request to URI: <https://fleet.my-domain.net:443>
I1027 19:59:34.024101 183284 tls.cpp:254] TLS/HTTPS POST request to URI: <https://fleet.my-domain.net:443>
I1027 19:59:35.051534 183284 tls.cpp:254] TLS/HTTPS POST request to URI: <https://fleet.my-domain.net:443>
I1027 19:59:39.074244 183284 tls.cpp:254] TLS/HTTPS POST request to URI: <https://fleet.my-domain.net:443>
zwass
--tls_dump
to see the requests and responses.Arden Shackelford
10/28/2020, 2:49 AMstdout
I've got the responses, which contains what looks like to be HTML, so maybe I need to set another url parameter that I've missed somewhere?
Here are the args I'm currently passing:
args = [
"--config_path=/secrets/osquery.conf",
"--pidfile=/alloc/data/osqueryd.pidfile",
"--logger_path=${env["NOMAD_ALLOC_DIR"]}/logs",
"--database_path=${env["NOMAD_ALLOC_DIR"]}/data",
"--enroll_tls_endpoint=/api/v1/osquery/enroll",
"--enroll_secret_env=OSQUERY_ENROLL_SECRET",
"--host_identifier=hostname",
"--disable_events=false",
"--tls_server_certs=/etc/ssl/certs/ca-bundle.crt",
"--tls_dump",
"--verbose"
]
}
Then in the config file I'm setting the tls_hostname
to the <http://fleet.my-domain.net|fleet.my-domain.net>
zwass
_api_endpoint
flags.Arden Shackelford
10/28/2020, 5:26 PM"config_tls_endpoint": "/api/v1/osquery/config",
"enroll_tls_endpoint": "/api/v1/osquery/enroll",
"distributed_tls_read_endpoint": "/api/v1/osquery/distributed/read",
"distributed_tls_write_endpoint": "/api/v1/osquery/distributed/write",
"logger_tls_endpoint": "/api/v1/osquery/log",
"distributed_plugin": "tls",
"distributed_interval": "10",
"disable_distributed": false,
_api_endpoint
that got me looking a little more closely at a few places.