Title
#kolide
z

Zach Zeid

09/03/2020, 5:36 PM
when running
--tls_dump
I see what appears to be html in the output, is that expected?
5:44 PM
while I'm seeing the results go into kolide successfully from my test fleet, I'm also getting
tls negotiation
errors as well, and I'm attempting to figure out why that is
zwass

zwass

09/03/2020, 6:03 PM
No. That probably means that you've configured osquery to hit the incorrect endpoints, or your LB is serving HTML for some reason.
6:04 PM
Under normal conditions you will only see JSON in the
--tls_dump
output.
z

Zach Zeid

09/03/2020, 6:04 PM
it's an AWS NLB, so it's entirely possible.
6:06 PM
I see the html right after this
[14:00:57] ~$ I0903 14:00:58.274202 23479 tls.cpp:253] TLS/HTTPS POST request to URI: <https://dev.fleet.sec.xxxx.org>
6:07 PM
It returns the node_key just fine, then a bunch of html
6:09 PM
I can't imagine I'm hitting incorrect endpoints, given that the results from the queries are showing up.
zwass

zwass

09/03/2020, 6:11 PM
There's nothing after
.org
?
6:12 PM
Maybe you're missing
config_tls_endpoint
?
z

Zach Zeid

09/03/2020, 6:13 PM
I don't think so, the test instance is pulling down configs, and
config_tls_endpoint
is configured in the flags file. It occurs to me that this is a result of the fleet server being behind a network gateway, and that' is what is returning the html.
zwass

zwass

09/03/2020, 6:14 PM
If you are hitting the root path then it's pulling down the login page
6:14 PM
So you need to figure out why osqueryd is hitting that path
6:15 PM
It's probably one of the
_endpoint
flags missing
z

Zach Zeid

09/03/2020, 6:16 PM
sudo osqueryd --verbose --tls_dump --tls_hostname <http://dev.fleet.sec.xxx.org|dev.fleet.sec.xxx.org> --config_plugin tls --tls_server_certs /etc/osquery/certs/kolide_fleet.crt --logger_tls_endpoint /api/v1/osquery/log --config_tls_endpoint /api/v1/osquery/config --logger_plugin tls --enroll_tls_endpoint /api/v1/osquery/enroll --enroll_secret_path /etc/osquery/enroll_secret
6:16 PM
I think I have all the endpoint flags defined.
7:05 PM
should the
tls_hostname
be something else?
--tls_hostname <http://dev.fleet.sec.xxx.org|dev.fleet.sec.xxx.org>
right now that's the url we use to get to the web ui
s

seph

09/03/2020, 8:12 PM
Well, what’s the html?
8:13 PM
Maybe it’s telling you what’s wrong….
z

Zach Zeid

09/03/2020, 10:06 PM
it's actually the html from the web ui...
zwass

zwass

09/03/2020, 11:09 PM
Yeah, sounds like osquery is just hitting the root path and Fleet is serving the root path as expected.
z

Zach Zeid

09/03/2020, 11:34 PM
well, the tls_hostname is the same URL has the ui so I guess that's expected. Not sure what would make them different.
zwass

zwass

09/03/2020, 11:36 PM
osquery is supposed to append the
_endpoint
flags to the hostname. That's why I suggested checking that they are all configured properly.
z

Zach Zeid

09/03/2020, 11:37 PM
so it'd be
<http://dev.fleet.sec.xxx.org/api/v1/osquery/{config|dev.fleet.sec.xxx.org/api/v1/osquery/{config>, enroll, log}
right?
11:38 PM
I guess I don't understand, afaik I have configured things correctly.
zwass

zwass

09/03/2020, 11:41 PM
Did you configure distributed read/write?
z

Zach Zeid

09/03/2020, 11:44 PM
🤦
11:46 PM
that was set in my flags file, but not when I was running osquery from the command line
zwass

zwass

09/03/2020, 11:47 PM
Ah yeah that could explain it
z

Zach Zeid

09/03/2020, 11:49 PM
the html was being generated because it wasn't hitting the distributed endpoints, just the root hostname?
zwass

zwass

09/03/2020, 11:50 PM
Correct. It would have just seen the login page because it wasn't hitting an api endpoint.
z

Zach Zeid

09/03/2020, 11:51 PM
are the distributed endpoints used mainly for ad-hoc queries? I don't see a ton in the docs about them.
zwass

zwass

09/03/2020, 11:51 PM
Yeah, just for ad-hoc queries
z

Zach Zeid

09/03/2020, 11:52 PM
👍 Thank you, this was helpful. Would it be a correct statement to say if the distributed endpoints aren't configured, then any ad-hoc queries sent from fleet wouldn't make it to the hosts?
zwass

zwass

09/03/2020, 11:55 PM
Yes
11:56 PM
And if you don't want ad-hoc queries then you're best off setting
--disable_distributed
(which is the default) so osquery doesn't even try.
z

Zach Zeid

09/03/2020, 11:56 PM
or in this case, fleet has the ability to send that config to hosts as well?
zwass

zwass

09/03/2020, 11:58 PM
Yes, I believe osquery will respect that flag if set in Fleet.
z

Zach Zeid

09/04/2020, 12:05 AM
Awesome, thank you!