Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
f
felix
12/09/2019, 10:32 AMHi everyone!
I think I either have a mistake in my configuration or a misunderstanding about query packs in fleet in general. So far, none of my packs get executed, even when targeted at all hosts and a 100% shard. Is there something I am missing? Do I need to configure them on the clients as well?
Sample pack:
apiVersion: v1
kind: pack
spec:
description: test
id: 3
name: test
queries:
- description: ""
interval: 10
name: Info
platform: ""
query: Info
removed: false
shard: 100
snapshot: true
version: ""
targets:
labels:
- All Hostsz
zwass
12/09/2019, 5:31 PMWhat does your "Info" query look like?
f
felix
12/09/2019, 5:32 PMJust the default select * from osquery_info
z
zwass
12/09/2019, 5:34 PMf
felix
12/09/2019, 5:37 PMYes. I don't think it's a problem with the logging, as I don't see any indication in the fleet status log that it tries to execute the pack. Nor does the client show anything
If I run a query manually in fleet I get the output and see how the server executes it in the log
z
zwass
12/09/2019, 5:39 PMSo you are able to run a live query against the "All Hosts" label?
f
felix
12/09/2019, 5:39 PMYes
z
zwass
12/09/2019, 5:42 PMAnd you have definitely `fleetctl apply`ed the query and pack? You get this yaml back when you
fleetctl get pack foof
felix
12/09/2019, 5:43 PMYes. I added the pack and query via the web interface but I also see it when running fleetctl
z
zwass
12/09/2019, 5:44 PMCan you also share the flags/flagfile you are using to start
osquerydf
felix
12/09/2019, 5:45 PMSure. Will take some time however as I don't have access to the machines at the moment
👍 1
fleetctl get options:
apiVersion: v1
kind: options
spec:
config:
decorators:
load:
- SELECT uuid AS host_uuid FROM system_info;
- SELECT hostname AS hostname FROM system_info;
options:
disable_distributed: false
distributed_interval: 10
distributed_plugin: tls
distributed_tls_max_attempts: 3
logger_plugin: tls
logger_tls_endpoint: /api/v1/osquery/log
logger_tls_period: 10
pack_delimiter: /
overrides: {}osquery.conf:
{
// Configure the daemon below:
"options": {
"enroll_secret_path": "C:\\Program Files\\osquery\\enroll_secret",
"tls_server_certs": "C:\\Program Files\\osquery\\certs\\server.pem",
"tls_hostname": "fleet:443",
"host_identifier": "hostname",
"enroll_tls_endpoint": "/api/v1/osquery/enroll",
"config_plugin": "tls",
"config_tls_endpoint": "/api/v1/osquery/config",
"config_refresh": 30,
"disable_distributed": "false",
"distributed_plugin": "tls",
"distributed_interval": 30,
"distributed_tls_max_attempts": 3,
"distributed_tls_read_endpoint": "/api/v1/osquery/distributed/read",
"distributed_tls_write_endpoint": "/api/v1/osquery/distributed/write",
"logger_plugin": "tls",
"logger_tls_endpoint": "/api/v1/osquery/log",
"logger_tls_period": 10,
"logger_min_stderr": 0,
"logger_min_status": 0
}
}z
zwass
12/10/2019, 4:49 PMWhat are the flags and flagfile you are starting osqueryd with?
f
felix
12/10/2019, 4:52 PMosquery is just started with the conf file, flags is empty
z
zwass
12/10/2019, 4:59 PMAh, so that's likely the issue. You need to set the config plugin at startup using a flag or flagfile. I would move those options you have in
osquery.conf(take a look at
osqueryd --helpf
felix
12/10/2019, 5:14 PMyes! that was it
thank you so much! 🙂
z
zwass
12/10/2019, 5:43 PMNice! Glad to hear it.