Hey everyone I ve got an issue where some hosts are not call

Question

Hey everyone I ve got an issue where some hosts are not calling the `enroll` endpoint so I don t see them in the Kolide UI but those hosts read the config from Kolide just fine and also send logs without any issues The installation is the same on many hosts and this behaviour only happens on some of them I ve tried using the ` tls dump verbose` flags to see if there was any pointer but I didn t see any there s no info about enrollment Any ideas

Cristhian Amaya · Answer

I used the flag ` enroll always` on one of the machines and it was enrolled correctly yay The flag is not documented and I found it here <https github com osquery osquery pull 2827 files> Does anyone have any info about the implications of having that flag permanently

terracatta · Answer

I was not aware this flag existed either this code sees to imply that each time the daemon is restarted it will enroll as a new device This likely will result in a duplicate device time osquery restarts

Cristhian Amaya · Answer

< terracatta> just tried and it doesn t duplicate hosts in kolide I haven t checked the code but it could be checking the host identifier as well and just updated the node key on every enrollment

terracatta · Answer

very possible if your host identifier is stable

seph · Answer

That seems like an interesting workaround to a real problem

Cristhian Amaya · Answer

So I ve done more tests today and confirmed that there are no side effects to having the ` enroll always` flag enabled if you have stable host identifiers as < terracatta> pointed out If a host already exists on Kolide and there s a new enrollment request Kolide justs updates the node key For background context in case it helps someone Our problem is that some hosts are being built based on images where osquery was already installed and enrolled so all of them had the same node key which means that the enrollment process was never executed And the last reference because I didn t find an answer on the internet this is how I read the node key on a host ```grep l nodeKey var osquery osquery db sst strings var osquery osquery db FILE NAME sst | grep nodeKey A 1```

terracatta · Answer

ideally before you cut your image you delete the osquery database

terracatta · Answer

and then you won t need this special flag

Cristhian Amaya · Answer

yea that would be the ideal solution I ll check how standardised is our image baking process is to propose that change slightly smiling face

Julian Scala · Answer

what do you exactly mean with a `stable` host identifier We specify the host identifier to our own UUID on every host Does that means stable

Cristhian Amaya · Answer

< Julian Scala> I d say yes I understand a stable identifier is something that is static per host and unique across your fleet

Julian Scala · Answer

Thanks