I've only seen something similar when someone uh... "experimented" with modifying the built-in labels. It was not great. But if you change the built-in 'All Hosts' label query to something that wouldn't include that host it could happen. Oooor if you deleted the label and re-created it, but the hosts hadn't re-run the label query to get added to the appropriate labels.

Thanks for the labels clue. After rebuilding my Fleet installation and doing some testing, the problem seems to have been that I was launching

osqueryd

directly rather than using

launcher

and hadn't included the

distributed_tls_read_endpoint

and

distributed_tls_write_endpoint

flags. Once I added those flags I saw several

kolide_label_query_xx

and

kolide_detail_query_xx

queries come in and the host started matching the "All Hosts" and "macOS" groups.

👍 that'll do it! glad you found the problem