Title
#kolide
f

felix

12/09/2019, 10:32 AM
Hi everyone! I think I either have a mistake in my configuration or a misunderstanding about query packs in fleet in general. So far, none of my packs get executed, even when targeted at all hosts and a 100% shard. Is there something I am missing? Do I need to configure them on the clients as well? Sample pack:
apiVersion: v1
kind: pack
spec:
  description: test
  id: 3
  name: test
  queries:
  - description: ""
    interval: 10
    name: Info
    platform: ""
    query: Info
    removed: false
    shard: 100
    snapshot: true
    version: ""
  targets:
    labels:
    - All Hosts
zwass

zwass

12/09/2019, 5:31 PM
What does your "Info" query look like?
f

felix

12/09/2019, 5:32 PM
Just the default select * from osquery_info
f

felix

12/09/2019, 5:37 PM
Yes. I don't think it's a problem with the logging, as I don't see any indication in the fleet status log that it tries to execute the pack. Nor does the client show anything
5:39 PM
If I run a query manually in fleet I get the output and see how the server executes it in the log
zwass

zwass

12/09/2019, 5:39 PM
So you are able to run a live query against the "All Hosts" label?
f

felix

12/09/2019, 5:39 PM
Yes
zwass

zwass

12/09/2019, 5:42 PM
And you have definitely fleetctl applyed the query and pack? You get this yaml back when you
fleetctl get pack foo
?
f

felix

12/09/2019, 5:43 PM
Yes. I added the pack and query via the web interface but I also see it when running fleetctl
zwass

zwass

12/09/2019, 5:44 PM
Can you also share the flags/flagfile you are using to start
osqueryd
and the osquery configuration you set in Fleet?
f

felix

12/09/2019, 5:45 PM
Sure. Will take some time however as I don't have access to the machines at the moment
8:04 AM
fleetctl get options:
apiVersion: v1
kind: options
spec:
  config:
    decorators:
      load:
      - SELECT uuid AS host_uuid FROM system_info;
      - SELECT hostname AS hostname FROM system_info;
    options:
      disable_distributed: false
      distributed_interval: 10
      distributed_plugin: tls
      distributed_tls_max_attempts: 3
      logger_plugin: tls
      logger_tls_endpoint: /api/v1/osquery/log
      logger_tls_period: 10
      pack_delimiter: /
  overrides: {}
8:05 AM
osquery.conf:
{
  // Configure the daemon below:
  "options": {
    "enroll_secret_path": "C:\\Program Files\\osquery\\enroll_secret",
    "tls_server_certs": "C:\\Program Files\\osquery\\certs\\server.pem",
    "tls_hostname": "fleet:443",
    "host_identifier": "hostname",
    "enroll_tls_endpoint": "/api/v1/osquery/enroll",
    "config_plugin": "tls",
    "config_tls_endpoint": "/api/v1/osquery/config",
    "config_refresh": 30,
    "disable_distributed": "false",
    "distributed_plugin": "tls",
    "distributed_interval": 30,
    "distributed_tls_max_attempts": 3,
    "distributed_tls_read_endpoint": "/api/v1/osquery/distributed/read",
    "distributed_tls_write_endpoint": "/api/v1/osquery/distributed/write",
    "logger_plugin": "tls",
    "logger_tls_endpoint": "/api/v1/osquery/log",
    "logger_tls_period": 10,
	"logger_min_stderr": 0,
	"logger_min_status": 0
  }    
}
zwass

zwass

12/10/2019, 4:49 PM
What are the flags and flagfile you are starting osqueryd with?
f

felix

12/10/2019, 4:52 PM
osquery is just started with the conf file, flags is empty
zwass

zwass

12/10/2019, 4:59 PM
Ah, so that's likely the issue. You need to set the config plugin at startup using a flag or flagfile. I would move those options you have in
osquery.conf
into a flagfile and then I think it will work.
5:01 PM
(take a look at
osqueryd --help
and you will see that config_plugin is a CLI only flag)
f

felix

12/10/2019, 5:14 PM
yes! that was it
5:14 PM
thank you so much! 🙂
zwass

zwass

12/10/2019, 5:43 PM
Nice! Glad to hear it.