Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
b
benbass
06/19/2019, 5:40 PMSure. How would you like it?
z
zwass
06/19/2019, 5:41 PMPaste right into here would do
b
benbass
06/19/2019, 5:43 PMFor some reason it wouldn’t let me paste it right in.
THe darwin override works just fine.
z
zwass
06/19/2019, 5:44 PMAnd you know it doesn't work because you used --tls_dump and didn't see the correct config?
b
benbass
06/19/2019, 5:44 PMYup.
Used --verbose and --tls_dump.
At first I changed the distributed interval to be different to see what was being pulled.
then saw it matched up with the default options.
When I change the default logger_path to the windows one, the endpoints log in and work just fine.
I would like to leave the default to a linux like format as we will be pulling in more random flavors of linux in the coming months, and don’t want to rely on a rhel override.
z
zwass
06/19/2019, 5:46 PMSure, makes sense
s
seph
06/19/2019, 5:58 PMI’m not current on the fleet source code, but I suspect all the linux platform identification is pretty dicy. I put some comments around https://github.com/osquery/osquery/pull/5488
z
zwass
06/19/2019, 6:03 PMWhat is the result of
select platform from os_versionb
benbass
06/19/2019, 6:07 PMwindows
I checked that. I am also seeing the same thing from a windows VM that is part of our standard build too.
z
zwass
06/19/2019, 6:08 PMDo you have access to the Fleet MySQL db? Can you run
select * from osquery_options;b
benbass
06/19/2019, 6:09 PMsure - let me connect.
This is from my prod server; it mirrored our dev until I made the changes to move the windows configs into the default, so this is what I started with.
z
zwass
06/19/2019, 6:16 PMDB looks as I would expect. Does the darwin override work?
Are you sure the osquery clients are connected to the server with this updated config?
b
benbass
06/19/2019, 6:17 PMYep. I have my atcs working.
They are connecting and working on one where I had these exact options (i pushed this yaml config over)
but only work when I change the default to have the logger_path.
the windows clients don’t seem to work with the override for soem reason.
I’ll push config with the windows overrides back and see what happens.
z
zwass
06/19/2019, 6:19 PMCan you
select * from hosts where platform = 'windows'Doing all of this on the same server where you see things not working would be helpful
b
benbass
06/19/2019, 6:20 PMyup. let me push the configs back.
(yay dev environment)
Aaaand it’s working now.
z
zwass
06/19/2019, 6:25 PM😁
b
benbass
06/19/2019, 6:26 PMWhich is very odd, as I pushed the exact same configs from prod, which the clients were failing on yesterday too.
z
zwass
06/19/2019, 6:26 PMAll you really needed was a 😛syduck:
b
benbass
06/19/2019, 6:26 PMquack.
z
zwass
06/19/2019, 6:26 PMI think I'm the one who needs to be quacking 😉
Anyway, glad you got it sorted.
b
benbass
06/19/2019, 6:26 PMyeah, hopefully things will work on new hosts. 🙂
Thanks for the help!
z
zwass
06/19/2019, 6:27 PMYeah check in again if they don't
I'd bet the signals got crossed on which servers the configs were being applied to and which the hosts were enrolling on
b
benbass
06/19/2019, 6:29 PMQuite possibly, but both servers had the same configs at first.