Hello! I am currently trying to get a query pack t...
# kolides
Scarlette
03/13/2020, 1:55 AMHello! I am currently trying to get a query pack to run every two minutes on my target machine. When I run a single live query individually it works fine, the data is seen. And the individual query I ran is seen on the target machine, the node key is okay, the request is fine. When I am trying to schedule a pack query the query field itself is seen as empty by the target machine. I tried to troubleshoot with https://github.com/kolide/fleet/blob/master/docs/infrastructure/faq.md#troubleshooting and noticed that when I live query `SELECT * FROM osquery_schedule`I dont get anything in return. I tried to then find this however it seems to be empty on my machine... I am unsure as to how to procede.
z
zwass
03/13/2020, 1:58 AM
Can you run your osquery client with
--verbose --tls_dumps
Scarlette
03/13/2020, 1:59 AMOf coarse! Here it is below...
Scarlette
03/13/2020, 3:10 AMSo we have our osquery nodes set up to get the configs over tls. But we have not been able to locate where to edit the API endpoint that pushes these config files out to the nodes. Thus we haven't edited them to run any scheduled queries, could this be our issue? if so is there any guidance you can provide on how we should proceed? Thanks! Scar
Scarlette
03/13/2020, 3:52 AMwe now believe that the issue is when the config file is grabbed with tls we get an error of "error reading config: cannot parse JSON: Invalid value. Offset: 0". Since it cannot grab the config I believe it is not getting notified about the scheduled pack queries?
s
seph
03/13/2020, 12:14 PM
Sounds like the config isn't parsing, yes. (I don't have context to help with what is happening)
➕ 1
z
zwass
03/13/2020, 5:54 PM
Can you get the logs from when osquery requests the config? You're showing distributed read which is the live query functionality. This is totally separate from scheduled queries.
3 Views