We are getting most of the things sorted, but getting the following error in stderror for fleetd when a query is submitted.

Oct 01 15:38:10 <http://hostname.domain.net|hostname.domain.net> bash[8725]: {"component":"http","err":"read auth token: reading from websocket: sockjs: session not in open state","msg":"failed to read auth token","ts":"2020-10-01T15:38:10.35797483Z"}

I am also not getting anything in the results logs. Is there something in need to look at to figure this out? We are making a connection through NGINX. Nginx config is simple, no grpc pass

location / {

proxy_pass            <http://127.0.0.1:8080>;

proxy_read_timeout    900;

proxy_connect_timeout 90;

proxy_redirect        <http://127.0.0.1:8080>

<https://nginxserver.domain.net>;

proxy_set_header      Host $host;

proxy_set_header      X-Real-IP $remote_addr;

proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header      X-Forwarded-Proto $scheme;

proxy_set_header      Proxy "";

}

Is there something you need to do to enable websockets in nginx?

Thank you! Added a few things to NGINX, it now looks like this

location / {

proxy_pass            <http://127.0.0.1:8080>;

proxy_read_timeout    900;

proxy_connect_timeout 90;

proxy_redirect        <http://127.0.0.1:8080>

<https://nginxserver.domain.net>;

proxy_http_version    1.1;

proxy_set_header      Upgrade $http_upgrade;

proxy_set_header      Connection "upgrade";

proxy_set_header      Host $host;

proxy_set_header      X-Real-IP $remote_addr;

proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header      X-Forwarded-Proto $scheme;

proxy_set_header      Proxy "";

}

Things added are to switch to websockets

proxy_http_version    1.1;

proxy_set_header      Upgrade $http_upgrade;

proxy_set_header      Connection "upgrade";

Error is now gone, but still no results file. I see the following lines that i think are associated with the query

Oct 01 16:30:02 <http://hostname.domain.net|hostname.domain.net> bash[8381]: {"component":"service","err":null,"level":"info","method":"NewDistributedQueryCampaign","numHosts":1,"sql":"SELECT * FROM osquery_info","took":"24.039193ms","ts":"2020-10-01T16:30:02.008545807Z","user":"skupper"}

Oct 01 16:30:03 <http://hostname.domain.net|hostname.domain.net> bash[8381]: {"component":"service","err":null,"ip_addr":"127.0.0.1:36436","level":"debug","method":"SubmitDistributedQueryResults","took":"806.202µs","ts":"2020-10-01T16:30:03.998658057Z","x_for_ip_addr":"10.100.29.126"}

Oct 01 16:30:12 <http://hostname.domain.net|hostname.domain.net> bash[8381]: {"campaignID":35,"component":"service","err":null,"level":"info","method":"StreamCampaignResults","took":"10.017351952s","ts":"2020-10-01T16:30:12.562631547Z","user":"skupper"}

That's expected. See https://github.com/kolide/fleet/blob/master/docs/infrastructure/faq.md#live-queries.

Thank you!

You're welcome 🍻