Title
#kolide
SK

SK

04/22/2020, 8:31 AM
Hey guys, how does fleet handle OSQuery agents in a VDI environment? So on 1 servers there is more than 1 installation of OSQuery as it is installed per VDI and the hostname of the server is the host-identifier in OSQuery. Will there be any registration issues or overwrites in the fleet DB for each OSQuery agent on the same host?
sundsta

sundsta

04/22/2020, 2:29 PM
In this scenario, osquery would be installed in each VM which should have a unique uuid and hostname…. unless your infrastructure does not sysprep and set unique hostnames for each VM which would potentially cause a lot of other issues in an Active Directory environment (assuming this is Windows/AD)
2:30 PM
Also, you can (and probably should) set the
--host_identifier=uuid
flag in most situations rather than using the hostname as the identifier
SK

SK

04/22/2020, 3:06 PM
Hey @sundsta I already tried with the UUID but all the servers had the same UUID as it was based on a golden image and copied over. In this case hostnames are more unique but there are many users on the same host. So this will give issues in the kolide DB? I was hoping that the node ID that kolide gives to each entry would make it unique.
sundsta

sundsta

04/22/2020, 3:16 PM
You should sysprep your servers before using them so that they have a unique security identifier (SID). See https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/sysprep--generalize--a-windows-installation
SK

SK

04/22/2020, 3:49 PM
As server preparation is not my department I cannot do anything about the sysprep, but will give this as suggestion. But even if I sysprep each server and they have own UUID the VDI running on that server will have the same UUID, right?
sundsta

sundsta

04/22/2020, 3:57 PM
Is the VDI a unique VM for each client or is it a terminal server that many users connect to?
SK

SK

04/22/2020, 4:37 PM
More like terminal server, but each user has its own OSQuery agent.
sundsta

sundsta

04/22/2020, 4:51 PM
Why? If you deploy osquery with the user permissions, you can’t monitor a good chunk of the system
SK

SK

04/22/2020, 4:57 PM
Good point. I will check how it is actually deployed. Maybe there is no issue, but wanted to dot my I's and cross my T's before actual implementation.
2:16 PM
@sundsta OSQuery installation was 1 per server so had no issues. 😉