https://github.com/osquery/osquery logo
Join Slack
Powered by
:wave: Trying to debug an issue and I'm curious if...
# kolide
h
👋 Trying to debug an issue and I'm curious if anyone else has encountered it here — we have a group of linux endpoints that were enrolled in Fleet previously but are no longer visible in the UI or reachable via fleetcl . My theory is that this may be related to the "automatic host expiry" option enabled but the "last seen time" for one of the hosts is yesterday; our expiry window much larger than 24 hrs 😛 . How does Kolide determine "last seen time"?
z
Any time the host makes a request to Fleet the seen time is updated.
Even if a host is "expired" by not checking in for the period, if osqueryd runs with the appropriate configuration (enroll secret) it will just re-enroll.
h
huh
z
These hosts are still in the DB?
h
I haven't hopped onto the DB instance yet, I was trying to reach the host via 
fleetctl
and the fleet UI first.
z
Does the host show up in 
fleetctl get hosts
?
How do you know what the last seen time is if the hosts don't show up?
h
We ingest Fleet server logs into BigQuery
z
So you saw a server log indicating that host made a request?
h
we have a log line that show the host was online yesterday and it's last_seen_time was also yesterday
I was also expecting the nodes to re-enroll as well. I was able re-enroll it by supplying the config + enroll endpoint flags from the command line.
z
Where did you see the 
last_seen_time
if not in the UI or DB?
h
Sorry let my clarify. I didn't interface with the DB directly. We are ingesting the db data into GCP's BigQuery and I was able to see the last_seen_time and online status there.
z
Ah, I see. Would be interesting to know if the entry is in the DB. If so, there's no reason it should not be available through the UI/fleetctl.
🍻 1
2 Views
Open in Slack
PreviousNext
Powered by