Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
r
ravindrags24
04/24/2020, 9:50 AMHi Friends: Have some issues with new Kolide fleet server.
Present Fleet version 2.6.0
Osquery Version: 4.3.0
Problem is below command works perfectly fine on Ubuntu host to join Kolide fleet server, but same command is not working on Windows host.
sudo /usr/bin/osqueryd --enroll_secret_path=/var/osquery/enroll_secret --tls_server_certs=/var/osquery/kolide.pem --tls_hostname=<http://kolide-test.abc.com|kolide-test.abc.com> --host_identifier=hostname --enroll_tls_endpoint=/api/v1/osquery/enroll --config_plugin=tls --config_tls_endpoint=/api/v1/osquery/config --config_refresh=10 --disable_distributed=false --distributed_plugin=tls --distributed_interval=3 --distributed_tls_max_attempts=3 --distributed_tls_read_endpoint=/api/v1/osquery/distributed/read --distributed_tls_write_endpoint=/api/v1/osquery/distributed/write --logger_plugin=tls --logger_tls_endpoint=/api/v1/osquery/log --logger_tls_period=10PS C:\Program Files\osquery> .\manage-osqueryd.ps1 -install --enroll_secret_path=C:\Program Files\osquery\secret.txt --tls_hostname=<http://kolide-test.abc.com|kolide-test.abc.com> --tls_server_certs=\Program Files\osquery\certs\kolide.pem --enroll_tls_endpoint=/api/v1/osquery/enroll --config_plugin=tls --config_tls_endpoint=/api/v1/osquery/config --config_refresh=10 --disable_distributed=false --distributed_plugin=tls --distributed_interval=3 --distributed_tls_max_attempts=3 --distributed_tls_read_endpoint=/api/v1/osquery/distributed/read --distributed_tls_write_endpoint=/api/v1/osquery/distributed/write --logger_plugin=tls --logger_tls_endpoint=/api/v1/osquery/log --logger_tls_period=10a
Alexandr Ivanov
04/24/2020, 11:01 AMProbably because of space between Program Files in _enroll_secret_path=C:\Program Files\osquery\secret.txt_
r
ravindrags24
04/24/2020, 11:03 AMEven I tried with
'\Program Files\osquery\secret.txt'a
Alexandr Ivanov
04/24/2020, 11:11 AMI’ve make it work by putting all flags into flagfile and starting ps1 script with --flagfile. Also I noticed that you missed drive letter in tls_server_certs flag
r
ravindrags24
04/24/2020, 11:13 AMOh thanks. Will check that right now.
I have created flagfile and below are the details for that.
--enroll_secret_path=C:\Program Files\osquery\secret.txt
--tls_hostname=<http://abc.com|abc.com>
--tls_server_certs=C:\Program Files\osquery\certs\<http://abc.com|abc.com>.pem
--host_identifier=hostname
--enroll_tls_endpoint=/api/v1/osquery/enroll
--config_plugin=tls
--config_tls_endpoint=/api/v1/osquery/config
--config_refresh=10
--logger_plugin=tls
--disable_distributed=false
--distributed_plugin=tls
--distributed_interval=3
--distributed_tls_max_attempts=3
--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read
--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write
--logger_plugin=tls --logger_tls_endpoint=/api/v1/osquery/log
--debug
--logger_tls_period=10.\osqueryd.exe --flagfile='C:\Program Files\osquery\osquery.flags'
Thrift: Sat Apr 25 13:52:04 2020 Client connected.
Thrift: Sat Apr 25 13:52:04 2020 TPipe ::GetOverlappedResult errored GLE=errno = 109
Thrift: Sat Apr 25 13:52:04 2020 Client connected.
Thrift: Sat Apr 25 13:52:04 2020 TConnectedClient died: TPipe: GetOverlappedResult failed
Thrift: Sat Apr 25 13:52:04 2020 TPipe ::GetOverlappedResult errored GLE=errno = 109
Thrift: Sat Apr 25 13:52:04 2020 TConnectedClient died: TPipe: GetOverlappedResult failed
W0425 13:52:06.597894 2140 tls_enroll.cpp:76] Failed enrollment request to <https://abc.com/api/v1/osquery/enroll> (No node key returned from TLS enroll plugin) retrying...@Alexandr Ivanov - Can it be possible to help here? **
a
Alexandr Ivanov
04/27/2020, 10:45 AM@ravindrags24 Try to change tls_server_certs to *.crt, usually Windows doesn’t understand PEM certs
r
ravindrags24
04/27/2020, 10:46 AMOk thanks for that.
a
Alexandr Ivanov
04/27/2020, 10:46 AMAlso, usually it is useful to look into Kolide logs, not only osquery logs
r
ravindrags24
04/28/2020, 10:25 AM@Alexandr Ivanov - I have changed *.pem to *.crt file. and still same issues. And surprising that I couldn't able to find any logs on server too. I think its still not connecting to server and getting errors in local windows machine itself.
Any idea about this error.
W0425 13:52:06.597894 2140 tls_enroll.cpp:76] Failed enrollment request to <https://abc.com/api/v1/osquery/enroll> (No node key returned from TLS enroll plugin) retrying...