Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
z
Zach Zeid
08/20/2020, 6:52 PMIs there a difference in how fleet manages scheduled packs already on endpoints vs. ones that are created through the UI? I see results from the packs already existing on the endpoints, but I don't see anything from scheduled packs I create through the UI.
s
sundsta
08/20/2020, 8:08 PMDo you have
--config_tls_endpointThat option is what tells osquery to obtain new configurations over TLS
z
Zach Zeid
08/20/2020, 8:56 PMyeah I do
"config_tls_endpoint": "/api/v1/osquery/config",z
zwass
08/20/2020, 8:58 PMIf osquery is reading configs from disk it's not reading configs from Fleet
You need to set
config_plugin=tlsz
Zach Zeid
08/20/2020, 8:58 PMI do have that set
"config_plugin": "tls",{
"options": {
"config_refresh": "600",
"logger_plugin": "tls",
"enroll_secret_path": "foobar",
"tls_server_certs": "/foobaz",
"tls_hostname": "<http://dev.fleet.example.org|dev.fleet.example.org>",
"enroll_tls_endpoint": "/api/v1/osquery/enroll",
"config_plugin": "tls",
"config_tls_endpoint": "/api/v1/osquery/config",
"config_refresh": "10",
"disable_distributed": "false",
"distributed_plugin": "tls",
"distributed_interval": "10",
"distributed_tls_max_attempts": "3",
"distributed_tls_read_endpoint": "/api/v1/osquery/distributed/read",
"distributed_tls_write_endpoint": "/api/v1/osquery/distributed/write",
"logger_tls_endpoint": "/api/v1/osquery/log",
"logger_tls_period": "10",
"schedule_splay_percent": "10",
"pidfile": "/var/run/osquery.pidfile",
"events_expiry": "3600",
"database_path": "/var/osquery/osquery.db",
"disable_tables": "",
"read_max": "100000",
"events_max": "100000",
"host_identifier": "uuid",
"logger_min_status": 0,
"disable_logging": false,
"utc": "true"
},z
zwass
08/20/2020, 9:19 PMThat is being sent from Fleet?
z
Zach Zeid
08/20/2020, 9:22 PMI manually edited this..
I see I had
KOLIDE_SERVER_TLS=falsez
zwass
08/20/2020, 9:41 PMI would add
--verbose --tls_dumpz
Zach Zeid
08/20/2020, 9:49 PMthe host does get enrolled because it does show up in the dashboard, but I don't see any logs being generated at all.
when I do set
KOLIDE_SERVER_TLS=true` "terminated": "tls: failed to find any PEM data in key input",server_keyserver_certI guess I'm curious why the host will enroll with fleet, but can't pull down configs. I know I'm missing something, but I can't figure out what exactly I'm missing.
Running an ad-hoc query also works, so 🤷
z
zwass
08/20/2020, 10:36 PMYou'll need to run osquery in verbose mode and see the network comms
z
Zach Zeid
08/20/2020, 10:40 PMhuh,
I0820 18:40:36.960268 28460 glog_logger.cpp:44] Could not get RPM header flag.z
zwass
08/20/2020, 10:44 PMSeems unrelated
You'll need to look at the tls_dump logs
z
Zach Zeid
08/20/2020, 10:47 PMah interesting! I had both
--verbose--tls_dumposquery.flagsosquerydI0820 18:46:38.206319 28547 tls.cpp:253] TLS/HTTPS POST request to URI: <https://fleet.boop.org/api/v1/osquery/distributed/read>
{"node_key":"foobar"}
{
"queries": {}
}This is interesting! I'm definitely seeing the queries from the packs being sent up to fleet, but I'm assuming where
"queries":{}z
zwass
08/20/2020, 10:54 PMNo, this is a live query request
Need to find the request to
api/v1/osquery/configIf there is none, you haven't configured osquery to retrieve configs from Fleet
z
Zach Zeid
08/20/2020, 10:57 PMok, then that's where I'm confused, I'm sure this is a mostly correct config
"options": {
"config_refresh": "600",
"logger_plugin": "tls",
"tls_server_certs": "/etc/osquery/certs/somecert.crt",
"tls_client_key": "/etc/osquery/certs/somekey.key",
"tls_hostname": "<http://fleet.beep.boop.org|fleet.beep.boop.org>",
"enroll_tls_endpoint": "/api/v1/osquery/enroll",
"config_plugin": "tls",
"config_tls_endpoint": "/api/v1/osquery/config",
"config_refresh": "10",
"disable_distributed": "false",
"distributed_plugin": "tls",
"distributed_interval": "10",
"distributed_tls_max_attempts": "3",
"distributed_tls_read_endpoint": "/api/v1/osquery/distributed/read",
"distributed_tls_write_endpoint": "/api/v1/osquery/distributed/write",
"logger_tls_endpoint": "/api/v1/osquery/log",
"logger_tls_period": "10",
"schedule_splay_percent": "10",
"pidfile": "/var/run/osquery.pidfile",
"events_expiry": "3600",
"database_path": "/var/osquery/osquery.db",
"disable_tables": "",
"read_max": "100000",
"events_max": "100000",
"host_identifier": "uuid",
"logger_min_status": 0,
"disable_logging": false,
"utc": "true"
},is it not configured to pull from fleet?
this is on the endpoint, so should this config be living on kolide fleet?
z
zwass
08/20/2020, 11:01 PMI'm not sure that you can load a config from disk first and then osquery will switch to TLS. Typically folks hook everything up with a flagfile and serve the config from TLS.
z
Zach Zeid
08/20/2020, 11:04 PM🤔 so more something like this?
cat /etc/osquery/osquery.flags
Ansible managed
--config_plugin=filesystem, tls
--config_path=/etc/osquery/osquery.conf
--config_refresh=600
--watchdog_level=1
--tls_dump
--verbose
--extensions_socket=/var/osquery/osquery.em
--pidfile=/var/run/osquery.pidfilez
zwass
08/20/2020, 11:10 PMYes, but you have an invalid value for config_plugin and you need to set the rest of the flags for connecting to fleet.
Please check out the docs
z
Zach Zeid
08/20/2020, 11:21 PMI'll doubly check them, this got me a lot further. Thank you!
z
zwass
08/20/2020, 11:27 PMThere's a complete example of flags in https://github.com/kolide/fleet/blob/master/docs/infrastructure/adding-hosts-to-fleet.md#launching-osqueryd
z
Zach Zeid
08/21/2020, 12:02 PMI was able to get this working, thanks for your help!
🍻 1