Sure How would you like it osquery #kolide

Join Slack

Sure. How would you like it?

# kolide

benbass

06/19/2019, 5:40 PM

Sure. How would you like it?

zwass

06/19/2019, 5:41 PM

Paste right into here would do

benbass

06/19/2019, 5:43 PM

For some reason it wouldn’t let me paste it right in.

options.yaml

benbass

06/19/2019, 5:43 PM

THe darwin override works just fine.

zwass

06/19/2019, 5:44 PM

And you know it doesn't work because you used --tls_dump and didn't see the correct config?

benbass

06/19/2019, 5:44 PM

Yup.

benbass

06/19/2019, 5:44 PM

Used --verbose and --tls_dump.

benbass

06/19/2019, 5:45 PM

At first I changed the distributed interval to be different to see what was being pulled.

benbass

06/19/2019, 5:45 PM

then saw it matched up with the default options.

benbass

06/19/2019, 5:45 PM

When I change the default logger_path to the windows one, the endpoints log in and work just fine.

benbass

06/19/2019, 5:46 PM

I would like to leave the default to a linux like format as we will be pulling in more random flavors of linux in the coming months, and don’t want to rely on a rhel override.

zwass

06/19/2019, 5:46 PM

Sure, makes sense

seph

06/19/2019, 5:58 PM

I’m not current on the fleet source code, but I suspect all the linux platform identification is pretty dicy. I put some comments around https://github.com/osquery/osquery/pull/5488

zwass

06/19/2019, 6:03 PM

What is the result of

select platform from os_version

on this host?

benbass

06/19/2019, 6:07 PM

windows

benbass

06/19/2019, 6:07 PM

I checked that. I am also seeing the same thing from a windows VM that is part of our standard build too.

zwass

06/19/2019, 6:08 PM

Do you have access to the Fleet MySQL db? Can you run

select * from osquery_options;

there?

benbass

06/19/2019, 6:09 PM

sure - let me connect.

benbass

06/19/2019, 6:14 PM

This is from my prod server; it mirrored our dev until I made the changes to move the windows configs into the default, so this is what I started with.

benbass

06/19/2019, 6:15 PM

osq_prod_options.txt

zwass

06/19/2019, 6:16 PM

DB looks as I would expect. Does the darwin override work?

zwass

06/19/2019, 6:16 PM

Are you sure the osquery clients are connected to the server with this updated config?

benbass

06/19/2019, 6:17 PM

Yep. I have my atcs working.

benbass

06/19/2019, 6:17 PM

They are connecting and working on one where I had these exact options (i pushed this yaml config over)

benbass

06/19/2019, 6:18 PM

but only work when I change the default to have the logger_path.

benbass

06/19/2019, 6:18 PM

the windows clients don’t seem to work with the override for soem reason.

benbass

06/19/2019, 6:19 PM

I’ll push config with the windows overrides back and see what happens.

zwass

06/19/2019, 6:19 PM

Can you

select * from hosts where platform = 'windows'

zwass

06/19/2019, 6:19 PM

Doing all of this on the same server where you see things not working would be helpful

benbass

06/19/2019, 6:20 PM

yup. let me push the configs back.

benbass

06/19/2019, 6:20 PM

(yay dev environment)

benbass

06/19/2019, 6:25 PM

Aaaand it’s working now.

zwass

06/19/2019, 6:25 PM

😁

benbass

06/19/2019, 6:26 PM

Which is very odd, as I pushed the exact same configs from prod, which the clients were failing on yesterday too.

zwass

06/19/2019, 6:26 PM

All you really needed was a psyduck

benbass

06/19/2019, 6:26 PM

quack.

zwass

06/19/2019, 6:26 PM

I think I'm the one who needs to be quacking 😉

zwass

06/19/2019, 6:26 PM

Anyway, glad you got it sorted.

benbass

06/19/2019, 6:26 PM

yeah, hopefully things will work on new hosts. 🙂

benbass

06/19/2019, 6:26 PM

Thanks for the help!

zwass

06/19/2019, 6:27 PM

Yeah check in again if they don't

zwass

06/19/2019, 6:27 PM

I'd bet the signals got crossed on which servers the configs were being applied to and which the hosts were enrolling on

benbass

06/19/2019, 6:29 PM

Quite possibly, but both servers had the same configs at first.

2 Views

Open in Slack

Previous Next