Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
d
David M
08/16/2019, 12:30 AMGeneral question. I compiled a package using the instructions from the Github page, I installed it to some Macs I have for testing, I'm not getting any results back when running the query. I guess the question is, is installing the package from package-builder all I need to install to my endpoints or is there something else? They enrolled and come up green, but running queries does nothing. Is there something else I need to initiate?
d
defensivedepth
08/16/2019, 12:32 AMHave you confirmed that redis is running and configured for Fleet to be able to connect to it? redis is a requirement for ad hoc (non-scheduled) queries
d
David M
08/16/2019, 12:34 AMWhat's the best way to check? I am using ElasticCache and confirmed that the server in EC2 can talk to EC over the correct port. Looking at CloudWatch I see activity.
I wonder if I need to open the ports from EC back to the EC2 instance?
d
defensivedepth
08/16/2019, 12:36 AMdefault config value for Fleet is
localhost:6379d
David M
08/16/2019, 12:37 AMI do have it set to that
Updating my Security Group
Still doesn't seem to do anything. I have 6379 open between ElasticCache and the Fleet server. I have 3306 open between the RDS server and the Fleet server.
s
sundsta
08/16/2019, 2:40 AMLook at the Fleet logs. It will show if there is a timeout to redis
d
defensivedepth
08/16/2019, 3:38 PMBack online.... @David M Let us know if you still run into issues after checking the Fleet logs like @sundsta suggested
d
David M
08/16/2019, 6:09 PMtail -f /tmp/osquery_status right?
s
sundsta
08/16/2019, 6:14 PMNo. The output from the
fleetsudo journalctl -u fleetd
David M
08/16/2019, 7:08 PMScrubbed the office IP out of the logs (shown as <scrubbed>). But this is the last 20,000 lines of the logs for Fleet.
Let me run a query and pull that part out of the logs to make it easier to see what we're getting.
Six minutes of logs. I ran the query 'SELECT * FROM osquery_info' during the window from one agent
s
sundsta
08/16/2019, 7:59 PMIs debug logging enabled? The error looks like this
Aug 16 19:56:24 fleet-rp7w fleet[1308]: ts=2019-08-16T19:56:24.235866993Z component=service method=SubmitDistributedQueryResults ip_addr=<IP>:57100 err="failed to ingest result: writing results: PUBLISH failed to channel results_259: dial tcp <REDIS_IP>:6379: connect: connection timed out" took=2m10.36553587sd
David M
08/16/2019, 8:11 PMAdded debug true and here are the logs. I ran the query at 20:04 (top line) and the query stopped at 20:06. Looking for the osquery_info in the query
s
sundsta
08/16/2019, 8:19 PMosquery_info won't show. Even with debug logging this is all that will show when a distributed query returns
Aug 16 20:18:50 fleet-rp7w fleet[1308]: ts=2019-08-16T20:18:50.436811847Z component=service method=SubmitDistributedQueryResults ip_addr=<IP>:57188 err=null took=279.826207msd
David M
08/16/2019, 9:53 PMSo what would the next steps be for me? I pretty much followed the couple of walkthroughs posted on Github and the Kolide blog.