https://github.com/osquery/osquery logo
Powered by
#kolide
Title
# kolide
d

David M

08/16/2019, 12:30 AM
General question. I compiled a package using the instructions from the Github page, I installed it to some Macs I have for testing, I'm not getting any results back when running the query. I guess the question is, is installing the package from package-builder all I need to install to my endpoints or is there something else? They enrolled and come up green, but running queries does nothing. Is there something else I need to initiate?
d

defensivedepth

08/16/2019, 12:32 AM
Have you confirmed that redis is running and configured for Fleet to be able to connect to it? redis is a requirement for ad hoc (non-scheduled) queries
d

David M

08/16/2019, 12:34 AM
What's the best way to check? I am using ElasticCache and confirmed that the server in EC2 can talk to EC over the correct port. Looking at CloudWatch I see activity.
I wonder if I need to open the ports from EC back to the EC2 instance?
d

defensivedepth

08/16/2019, 12:36 AM
default config value for Fleet is 
localhost:6379
- make sure you have it config'ed correctly --> https://github.com/kolide/fleet/blob/master/docs/infrastructure/configuring-the-fleet-binary.md#redis
d

David M

08/16/2019, 12:37 AM
I do have it set to that
Updating my Security Group
Still doesn't seem to do anything. I have 6379 open between ElasticCache and the Fleet server. I have 3306 open between the RDS server and the Fleet server.
s

sundsta

08/16/2019, 2:40 AM
Look at the Fleet logs. It will show if there is a timeout to redis
d

defensivedepth

08/16/2019, 3:38 PM
Back online.... @David M Let us know if you still run into issues after checking the Fleet logs like @sundsta suggested
d

David M

08/16/2019, 6:09 PM
tail -f /tmp/osquery_status right?
s

sundsta

08/16/2019, 6:14 PM
No. The output from the 
fleet
binary. If you're running in Docker that's just the container's STDOUT or if you're using a VM you'll check the systemd logs with 
sudo journalctl -u fleet
d

David M

08/16/2019, 7:08 PM
Scrubbed the office IP out of the logs (shown as <scrubbed>). But this is the last 20,000 lines of the logs for Fleet.
Let me run a query and pull that part out of the logs to make it easier to see what we're getting.
Six minutes of logs. I ran the query 'SELECT * FROM osquery_info' during the window from one agent
s

sundsta

08/16/2019, 7:59 PM
Is debug logging enabled? The error looks like this 
Aug 16 19:56:24 fleet-rp7w fleet[1308]: ts=2019-08-16T19:56:24.235866993Z component=service method=SubmitDistributedQueryResults ip_addr=<IP>:57100 err="failed to ingest result: writing results: PUBLISH failed to channel results_259: dial tcp <REDIS_IP>:6379: connect: connection timed out" took=2m10.36553587s
d

David M

08/16/2019, 8:11 PM
Added debug true and here are the logs. I ran the query at 20:04 (top line) and the query stopped at 20:06. Looking for the osquery_info in the query
s

sundsta

08/16/2019, 8:19 PM
osquery_info won't show. Even with debug logging this is all that will show when a distributed query returns 
Aug 16 20:18:50 fleet-rp7w fleet[1308]: ts=2019-08-16T20:18:50.436811847Z component=service method=SubmitDistributedQueryResults ip_addr=<IP>:57188 err=null took=279.826207ms
d

David M

08/16/2019, 9:53 PM
So what would the next steps be for me? I pretty much followed the couple of walkthroughs posted on Github and the Kolide blog.
2 Views
Powered by