Hi Friends Have some issues with new Kolide fleet server Pre osquery #kolide

Hi Friends: Have some issues with new Kolide fleet...

ravindrags24

04/24/2020, 9:50 AM

Hi Friends: Have some issues with new Kolide fleet server. Present Fleet version 2.6.0 Osquery Version: 4.3.0 Problem is below command works perfectly fine on Ubuntu host to join Kolide fleet server, but same command is not working on Windows host.

Copy code

sudo /usr/bin/osqueryd   --enroll_secret_path=/var/osquery/enroll_secret   --tls_server_certs=/var/osquery/kolide.pem   --tls_hostname=<http://kolide-test.abc.com|kolide-test.abc.com>  --host_identifier=hostname   --enroll_tls_endpoint=/api/v1/osquery/enroll   --config_plugin=tls   --config_tls_endpoint=/api/v1/osquery/config   --config_refresh=10   --disable_distributed=false   --distributed_plugin=tls   --distributed_interval=3   --distributed_tls_max_attempts=3   --distributed_tls_read_endpoint=/api/v1/osquery/distributed/read   --distributed_tls_write_endpoint=/api/v1/osquery/distributed/write   --logger_plugin=tls   --logger_tls_endpoint=/api/v1/osquery/log   --logger_tls_period=10

Windows commands.

Copy code

PS C:\Program Files\osquery> .\manage-osqueryd.ps1 -install --enroll_secret_path=C:\Program Files\osquery\secret.txt --tls_hostname=<http://kolide-test.abc.com|kolide-test.abc.com> --tls_server_certs=\Program Files\osquery\certs\kolide.pem --enroll_tls_endpoint=/api/v1/osquery/enroll --config_plugin=tls --config_tls_endpoint=/api/v1/osquery/config --config_refresh=10 --disable_distributed=false --distributed_plugin=tls --distributed_interval=3 --distributed_tls_max_attempts=3 --distributed_tls_read_endpoint=/api/v1/osquery/distributed/read --distributed_tls_write_endpoint=/api/v1/osquery/distributed/write --logger_plugin=tls --logger_tls_endpoint=/api/v1/osquery/log --logger_tls_period=10

Can some help on this.

Alexandr Ivanov

04/24/2020, 11:01 AM

Probably because of space between Program Files in _enroll_secret_path=C:\Program Files\osquery\secret.txt_

ravindrags24

04/24/2020, 11:03 AM

Even I tried with

'\Program Files\osquery\secret.txt'

its not working. No idea what was missing here.

Alexandr Ivanov

04/24/2020, 11:11 AM

I’ve make it work by putting all flags into flagfile and starting ps1 script with --flagfile. Also I noticed that you missed drive letter in tls_server_certs flag

ravindrags24

04/24/2020, 11:13 AM

Oh thanks. Will check that right now.

ravindrags24

04/25/2020, 8:23 AM

I have created flagfile and below are the details for that.

Copy code

--enroll_secret_path=C:\Program Files\osquery\secret.txt
--tls_hostname=<http://abc.com|abc.com>
--tls_server_certs=C:\Program Files\osquery\certs\<http://abc.com|abc.com>.pem
--host_identifier=hostname
--enroll_tls_endpoint=/api/v1/osquery/enroll
--config_plugin=tls
--config_tls_endpoint=/api/v1/osquery/config
--config_refresh=10
--logger_plugin=tls
--disable_distributed=false
--distributed_plugin=tls
--distributed_interval=3
--distributed_tls_max_attempts=3
--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read
--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write
--logger_plugin=tls --logger_tls_endpoint=/api/v1/osquery/log
--debug
--logger_tls_period=10

But getting error as below while executing the command.

Copy code

.\osqueryd.exe --flagfile='C:\Program Files\osquery\osquery.flags'

Thrift: Sat Apr 25 13:52:04 2020 Client connected.
Thrift: Sat Apr 25 13:52:04 2020 TPipe ::GetOverlappedResult errored GLE=errno = 109
Thrift: Sat Apr 25 13:52:04 2020 Client connected.
Thrift: Sat Apr 25 13:52:04 2020 TConnectedClient died: TPipe: GetOverlappedResult failed
Thrift: Sat Apr 25 13:52:04 2020 TPipe ::GetOverlappedResult errored GLE=errno = 109
Thrift: Sat Apr 25 13:52:04 2020 TConnectedClient died: TPipe: GetOverlappedResult failed
W0425 13:52:06.597894  2140 tls_enroll.cpp:76] Failed enrollment request to <https://abc.com/api/v1/osquery/enroll> (No node key returned from TLS enroll plugin) retrying...

ravindrags24

04/27/2020, 10:43 AM

@Alexandr Ivanov - Can it be possible to help here? **

Alexandr Ivanov

04/27/2020, 10:45 AM

@ravindrags24 Try to change tls_server_certs to *.crt, usually Windows doesn’t understand PEM certs

ravindrags24

04/27/2020, 10:46 AM

Ok thanks for that.

Alexandr Ivanov

04/27/2020, 10:46 AM

Also, usually it is useful to look into Kolide logs, not only osquery logs

ravindrags24

04/28/2020, 10:25 AM

@Alexandr Ivanov - I have changed *.pem to *.crt file. and still same issues. And surprising that I couldn't able to find any logs on server too. I think its still not connecting to server and getting errors in local windows machine itself. Any idea about this error.

Copy code

W0425 13:52:06.597894  2140 tls_enroll.cpp:76] Failed enrollment request to <https://abc.com/api/v1/osquery/enroll> (No node key returned from TLS enroll plugin) retrying...

How ever its wildcard certificate working from Ubuntu host and getting error in Windows.

4 Views

Open in Slack

Previous Next