Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
n
Nico
07/03/2019, 8:35 PMhey 👋 I have fleet setup with my hosts reporting to it. I'm trying to get the firehose output to work correctly. So far I get the status log in there, but not the results. They are both set to save to the same firehose stream, could that be the issue? I have a pack enabled with
select * from timeExecuting distributed query: kolide_distributed_query_45: SELECT * FROM timeexport KOLIDE_LOGGING_DEBUG=true
export KOLIDE_FIREHOSE_REGION=${KOLIDE_CONFIG_FIREHOSE_REGION}
export KOLIDE_FIREHOSE_RESULT_STREAM=${KOLIDE_CONFIG_FIREHOSE_RESULT_STREAM}
export KOLIDE_FIREHOSE_STATUS_STREAM=${KOLIDE_CONFIG_FIREHOSE_STATUS_STREAM}
export KOLIDE_OSQUERY_RESULT_LOG_PLUGIN=firehose
export KOLIDE_OSQUERY_STATUS_LOG_PLUGIN=firehosesorry had posted in general by mistake
z
zwass
07/03/2019, 8:49 PMFirst, live query results will never go to the logger. You'll only see them through the UI/fleetctl.
My guess is that pack is not targeted appropriately to the host. Can you take a look at how it is targeted?
Also, take a look at the logs on the host to see whether it is every running the scheduled query.
n
Nico
07/03/2019, 8:50 PMthe pack is targeted to all hosts
let me check the logs on a host
the only thing I see in there is the distributed query read and log.
--tls-hostname XXX
--logger_plugin=tls
--config_plugin=tls
--verbose
--enroll_tls_endpoint=/api/v1/osquery/enroll
--config_tls_endpoint=/api/v1/osquery/config
--enroll_secret_env=OSQUERY_ENROLL_SECRETmy flags
do I need a special one to enable packs?
oh, I think I just realised, I need the launcher for the packs right? the osqueryd doesn't have the ability to fetch new config right?
s
sundsta
07/03/2019, 9:16 PMYou don't need Launcher. The osquery_status logs should at least show you if it is connecting to Fleet and if it is executing the scheduled queries
n
Nico
07/03/2019, 9:19 PMI do see
Jul 03 21:17:46 ip-172-23-6-159 osquery.sh[1019]: I0703 21:17:46.221714 1263 tls.cpp:240] TLS/HTTPS POST request to URI:for distributed read and log
no other log
s
sundsta
07/03/2019, 9:21 PMThen it is not a target for that pack. You're looking for logs like
{"hostIdentifier":"FB2C3611-EA6B-C10B-3611-3C4CF096B325","calendarTime":"Wed Jul 3 21:17:52 2019 UTC","unixTime":"1562188672","severity":"0","filename":"scheduler.cpp","line":"100","message":"Executing scheduled query pack/events/user_events: SELECT * FROM user_events \nWHERE time < DATE('now') - 300","version":"3.3.2","decorations":{"host_uuid":"FB2C3611-EA6B-C10B-3611-3C4CF096B325","hostname":"REDACTED.local"}}(we log in JSON, so your formatting will be a bit different)
n
Nico
07/03/2019, 9:21 PMright sorry I do have those
they are forwarded to firehose
s
sundsta
07/03/2019, 9:22 PMOK, so it's working?
n
Nico
07/03/2019, 9:22 PMthings like opening rocksdb etc
but nothing about scheduled
s
sundsta
07/03/2019, 9:22 PMOK, then that host isn't targeted for the pack or the pack contains no queries.
n
Nico
07/03/2019, 9:23 PMz
zwass
07/03/2019, 10:05 PMThis pack looks targeted correctly
Can you run osqueryd on the host with —verbose —tls_dump and see what config it receives?
n
Nico
07/04/2019, 8:18 AMThe issue was I didn't have config-refresh set on osqueryd, I do get my results now. Thanks @zwass @sundsta 🙂
👍 1