https://github.com/osquery/osquery logo
Powered by
#kolide
Title
# kolide
b

benbass

06/19/2019, 5:40 PM
Sure. How would you like it?
z

zwass

06/19/2019, 5:41 PM
Paste right into here would do
b

benbass

06/19/2019, 5:43 PM
For some reason it wouldn’t let me paste it right in.
options.yaml
THe darwin override works just fine.
z

zwass

06/19/2019, 5:44 PM
And you know it doesn't work because you used --tls_dump and didn't see the correct config?
b

benbass

06/19/2019, 5:44 PM
Yup.
Used --verbose and --tls_dump.
At first I changed the distributed interval to be different to see what was being pulled.
then saw it matched up with the default options.
When I change the default logger_path to the windows one, the endpoints log in and work just fine.
I would like to leave the default to a linux like format as we will be pulling in more random flavors of linux in the coming months, and don’t want to rely on a rhel override.
z

zwass

06/19/2019, 5:46 PM
Sure, makes sense
s

seph

06/19/2019, 5:58 PM
I’m not current on the fleet source code, but I suspect all the linux platform identification is pretty dicy. I put some comments around https://github.com/osquery/osquery/pull/5488
z

zwass

06/19/2019, 6:03 PM
What is the result of 
select platform from os_version
on this host?
b

benbass

06/19/2019, 6:07 PM
windows
I checked that. I am also seeing the same thing from a windows VM that is part of our standard build too.
z

zwass

06/19/2019, 6:08 PM
Do you have access to the Fleet MySQL db? Can you run 
select * from osquery_options;
there?
b

benbass

06/19/2019, 6:09 PM
sure - let me connect.
This is from my prod server; it mirrored our dev until I made the changes to move the windows configs into the default, so this is what I started with.
z

zwass

06/19/2019, 6:16 PM
DB looks as I would expect. Does the darwin override work?
Are you sure the osquery clients are connected to the server with this updated config?
b

benbass

06/19/2019, 6:17 PM
Yep. I have my atcs working.
They are connecting and working on one where I had these exact options (i pushed this yaml config over)
but only work when I change the default to have the logger_path.
the windows clients don’t seem to work with the override for soem reason.
I’ll push config with the windows overrides back and see what happens.
z

zwass

06/19/2019, 6:19 PM
Can you 
select * from hosts where platform = 'windows'
?
Doing all of this on the same server where you see things not working would be helpful
b

benbass

06/19/2019, 6:20 PM
yup. let me push the configs back.
(yay dev environment)
Aaaand it’s working now.
z

zwass

06/19/2019, 6:25 PM
😁
b

benbass

06/19/2019, 6:26 PM
Which is very odd, as I pushed the exact same configs from prod, which the clients were failing on yesterday too.
z

zwass

06/19/2019, 6:26 PM
All you really needed was a psyduck
b

benbass

06/19/2019, 6:26 PM
quack.
z

zwass

06/19/2019, 6:26 PM
I think I'm the one who needs to be quacking 😉
Anyway, glad you got it sorted.
b

benbass

06/19/2019, 6:26 PM
yeah, hopefully things will work on new hosts. 🙂
Thanks for the help!
z

zwass

06/19/2019, 6:27 PM
Yeah check in again if they don't
I'd bet the signals got crossed on which servers the configs were being applied to and which the hosts were enrolling on
b

benbass

06/19/2019, 6:29 PM
Quite possibly, but both servers had the same configs at first.
2 Views
Powered by