Title
#kolide
Steve Kupper

Steve Kupper

10/01/2020, 3:46 PM
We are getting most of the things sorted, but getting the following error in stderror for fleetd when a query is submitted.
Oct 01 15:38:10 <http://hostname.domain.net|hostname.domain.net> bash[8725]: {"component":"http","err":"read auth token: reading from websocket: sockjs: session not in open state","msg":"failed to read auth token","ts":"2020-10-01T15:38:10.35797483Z"}
I am also not getting anything in the results logs. Is there something in need to look at to figure this out? We are making a connection through NGINX. Nginx config is simple, no grpc pass
location / {
proxy_pass            <http://127.0.0.1:8080>;
proxy_read_timeout    900;
proxy_connect_timeout 90;
proxy_redirect        <http://127.0.0.1:8080>
<https://nginxserver.domain.net>;
proxy_set_header      Host $host;
proxy_set_header      X-Real-IP $remote_addr;
proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header      X-Forwarded-Proto $scheme;
proxy_set_header      Proxy "";
}
zwass

zwass

10/01/2020, 4:02 PM
Is there something you need to do to enable websockets in nginx?
Steve Kupper

Steve Kupper

10/01/2020, 4:32 PM
Thank you! Added a few things to NGINX, it now looks like this
location / {
proxy_pass            <http://127.0.0.1:8080>;
proxy_read_timeout    900;
proxy_connect_timeout 90;
proxy_redirect        <http://127.0.0.1:8080>
<https://nginxserver.domain.net>;
proxy_http_version    1.1;
proxy_set_header      Upgrade $http_upgrade;
proxy_set_header      Connection "upgrade";
proxy_set_header      Host $host;
proxy_set_header      X-Real-IP $remote_addr;
proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header      X-Forwarded-Proto $scheme;
proxy_set_header      Proxy "";
}
Things added are to switch to websockets
proxy_http_version    1.1;
proxy_set_header      Upgrade $http_upgrade;
proxy_set_header      Connection "upgrade";
Error is now gone, but still no results file. I see the following lines that i think are associated with the query
Oct 01 16:30:02 <http://hostname.domain.net|hostname.domain.net> bash[8381]: {"component":"service","err":null,"level":"info","method":"NewDistributedQueryCampaign","numHosts":1,"sql":"SELECT * FROM osquery_info","took":"24.039193ms","ts":"2020-10-01T16:30:02.008545807Z","user":"skupper"}
Oct 01 16:30:03 <http://hostname.domain.net|hostname.domain.net> bash[8381]: {"component":"service","err":null,"ip_addr":"127.0.0.1:36436","level":"debug","method":"SubmitDistributedQueryResults","took":"806.202ยตs","ts":"2020-10-01T16:30:03.998658057Z","x_for_ip_addr":"10.100.29.126"}
Oct 01 16:30:12 <http://hostname.domain.net|hostname.domain.net> bash[8381]: {"campaignID":35,"component":"service","err":null,"level":"info","method":"StreamCampaignResults","took":"10.017351952s","ts":"2020-10-01T16:30:12.562631547Z","user":"skupper"}
Steve Kupper

Steve Kupper

10/01/2020, 4:39 PM
Thank you!
zwass

zwass

10/01/2020, 4:40 PM
You're welcome ๐Ÿป