Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
z
Zach Zeid
09/03/2020, 5:36 PMwhen running
--tls_dumpwhile I'm seeing the results go into kolide successfully from my test fleet, I'm also getting
tls negotiationz
zwass
09/03/2020, 6:03 PMNo. That probably means that you've configured osquery to hit the incorrect endpoints, or your LB is serving HTML for some reason.
Under normal conditions you will only see JSON in the
--tls_dumpz
Zach Zeid
09/03/2020, 6:04 PMit's an AWS NLB, so it's entirely possible.
I see the html right after this
[14:00:57] ~$ I0903 14:00:58.274202 23479 tls.cpp:253] TLS/HTTPS POST request to URI: <https://dev.fleet.sec.xxxx.org>It returns the node_key just fine, then a bunch of html
I can't imagine I'm hitting incorrect endpoints, given that the results from the queries are showing up.
z
zwass
09/03/2020, 6:11 PMThere's nothing after
.orgMaybe you're missing
config_tls_endpointz
Zach Zeid
09/03/2020, 6:13 PMI don't think so, the test instance is pulling down configs, and
config_tls_endpointz
zwass
09/03/2020, 6:14 PMIf you are hitting the root path then it's pulling down the login page
So you need to figure out why osqueryd is hitting that path
It's probably one of the
_endpointz
Zach Zeid
09/03/2020, 6:16 PMsudo osqueryd --verbose --tls_dump --tls_hostname <http://dev.fleet.sec.xxx.org|dev.fleet.sec.xxx.org> --config_plugin tls --tls_server_certs /etc/osquery/certs/kolide_fleet.crt --logger_tls_endpoint /api/v1/osquery/log --config_tls_endpoint /api/v1/osquery/config --logger_plugin tls --enroll_tls_endpoint /api/v1/osquery/enroll --enroll_secret_path /etc/osquery/enroll_secretI think I have all the endpoint flags defined.
should the
tls_hostname--tls_hostname <http://dev.fleet.sec.xxx.org|dev.fleet.sec.xxx.org>s
seph
09/03/2020, 8:12 PMWell, what’s the html?
Maybe it’s telling you what’s wrong….
z
Zach Zeid
09/03/2020, 10:06 PMit's actually the html from the web ui...
z
zwass
09/03/2020, 11:09 PMYeah, sounds like osquery is just hitting the root path and Fleet is serving the root path as expected.
z
Zach Zeid
09/03/2020, 11:34 PMwell, the tls_hostname is the same URL has the ui so I guess that's expected. Not sure what would make them different.
z
zwass
09/03/2020, 11:36 PMosquery is supposed to append the
_endpointz
Zach Zeid
09/03/2020, 11:37 PMso it'd be
<http://dev.fleet.sec.xxx.org/api/v1/osquery/{config|dev.fleet.sec.xxx.org/api/v1/osquery/{config>, enroll, log}I guess I don't understand, afaik I have configured things correctly.
z
zwass
09/03/2020, 11:41 PMDid you configure distributed read/write?
z
Zach Zeid
09/03/2020, 11:44 PM🤦
that was set in my flags file, but not when I was running osquery from the command line
z
zwass
09/03/2020, 11:47 PMAh yeah that could explain it
z
Zach Zeid
09/03/2020, 11:49 PMthe html was being generated because it wasn't hitting the distributed endpoints, just the root hostname?
z
zwass
09/03/2020, 11:50 PMCorrect. It would have just seen the login page because it wasn't hitting an api endpoint.
z
Zach Zeid
09/03/2020, 11:51 PMare the distributed endpoints used mainly for ad-hoc queries? I don't see a ton in the docs about them.
z
zwass
09/03/2020, 11:51 PMYeah, just for ad-hoc queries
z
Zach Zeid
09/03/2020, 11:52 PM👍 Thank you, this was helpful.
Would it be a correct statement to say if the distributed endpoints aren't configured, then any ad-hoc queries sent from fleet wouldn't make it to the hosts?
z
zwass
09/03/2020, 11:55 PMYes
And if you don't want ad-hoc queries then you're best off setting
--disable_distributedz
Zach Zeid
09/03/2020, 11:56 PMor in this case, fleet has the ability to send that config to hosts as well?
z
zwass
09/03/2020, 11:58 PMYes, I believe osquery will respect that flag if set in Fleet.
z
Zach Zeid
09/04/2020, 12:05 AMAwesome, thank you!