https://github.com/osquery/osquery logo
Title
d

dlachmann

06/06/2019, 6:56 PM
Howdy, folks. Anyone around who could help me out with enrolling a windows endpoint with fleet?
t

Tim

06/06/2019, 9:27 PM
I might be able to help out. What issues are you running into?
d

dlachmann

06/07/2019, 12:44 PM
@Tim I'm trying to enroll my Windows machine with the tls plugin, however I'm getting an error message
Here's my command: .\osqueryd.exe --enroll_secret_env=Tnr/xxxxxxxxx --enroll_tls_endpoint=x.x.x.x:8080 --tls_server_certs=C:\ProgramData\osquery\certs\x.x.x.x_8080.pem --verbose --host_identifier=HOST-27 --config_tls_refresh=10 --disable_distributed=false --distributed_plugin=tls --distributed_interval=3 --distributed_tls_max_attempts=3
Here's what I'm seeing: I0607 08:42:28.572372 2504 tls.cpp:240] TLS/HTTPS POST request to URI: https://x.x.x.x:8080
W0607 08:42:29.052740 2504 tls_enroll.cpp:67] Failed enrollment request to https://x.x.x.x:8080 (Cannot parse JSON: Invalid value. Offset: 0) retrying...
t

Tim

06/07/2019, 3:08 PM
IS your server running ok? IS there a different host with that identifier? Maybe try it without specifying a host identifier.
oh and for the error, are you parsing json anywhere on the host for this?
actually you're missing a few flags
--enroll_tls_endpoint=/api/v1/osquery/enroll
--config_plugin=tls
--config_tls_endpoint=/api/v1/osquery/config
d

dlachmann

06/07/2019, 4:15 PM
.\osqueryd.exe --enroll_secret_env=Tnr/Tl0zB2vySH9x1DEIcA4kS0cXw5yI --tls_hostname=x.x.x.x:8080 --tls_server_certs=C:\ProgramData\osquery\certs\x.x.x.x_8080.pem --verbose --host_identifier=HOST-27 --config_tls_refresh=10 --disable_distributed=false --distributed_plugin=tls --distributed_interval=3 --distributed_tls_max_attempts=3 --enroll_tls_endpoint=/api/v1/osquery/enroll --config_plugin=tls --config_tls_endpoint=/api/v1/osquery/config
Command with the new flags
Failed enrollment request to https://192.168.2.183:8080/api/v1/osquery/enroll (No node key returned from TLS enroll plugin) retrying...
^ New error message
t

Tim

06/07/2019, 4:57 PM
I haven't used the enroll_secret_env flag, I use the enroll_secret_path one but your secret might be getting passed wrong. Try adding
--verbose
and
--tls_dump
flags for troubleshooting
d

dlachmann

06/07/2019, 5:00 PM
{
  "error": "invalid enroll secret",
  "node_invalid": true
}
I'll try doing enroll_secret_path
t

Tim

06/07/2019, 5:01 PM
try copying just your enroll secret, placing it in a file, then adding the
--enroll_secret_path=C:\PATH\TO\FILE
d

dlachmann

06/07/2019, 5:06 PM
Working!!! Awesome, thank you so much
Another question though, this will only work when I run it it command line, right?
t

Tim

06/07/2019, 5:10 PM
Np, and that depends. If you put a flagfile with all this in it in the default path for the service flagfile then it will work whenever the osqueryd service starts. Or you could alter the default osqueryd service and point it to wherever you want for a flagfile.
d

dlachmann

06/07/2019, 5:34 PM
So I got osquery to connect to fleet with a flagfile I created and specified when running osqueryi.exe --flagfile=<FLAGFILE>
Unsure as to how to point it at the flag file when running it as a windows service though
Nevermind! I read your last message a bit closer and understood
Thanks so much for your help!
👍 1
❤️