Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
d
dlachmann
06/06/2019, 6:56 PMHowdy, folks. Anyone around who could help me out with enrolling a windows endpoint with fleet?
t
Tim
06/06/2019, 9:27 PMI might be able to help out. What issues are you running into?
d
dlachmann
06/07/2019, 12:44 PM@Tim I'm trying to enroll my Windows machine with the tls plugin, however I'm getting an error message
Here's my command:
.\osqueryd.exe
--enroll_secret_env=Tnr/xxxxxxxxx
--enroll_tls_endpoint=x.x.x.x:8080
--tls_server_certs=C:\ProgramData\osquery\certs\x.x.x.x_8080.pem
--verbose
--host_identifier=HOST-27
--config_tls_refresh=10
--disable_distributed=false
--distributed_plugin=tls
--distributed_interval=3
--distributed_tls_max_attempts=3
Here's what I'm seeing:
I0607 08:42:28.572372 2504 tls.cpp:240] TLS/HTTPS POST request to URI: https://x.x.x.x:8080
W0607 08:42:29.052740 2504 tls_enroll.cpp:67] Failed enrollment request to https://x.x.x.x:8080 (Cannot parse JSON: Invalid value. Offset: 0) retrying...
t
Tim
06/07/2019, 3:08 PMIS your server running ok? IS there a different host with that identifier? Maybe try it without specifying a host identifier.
oh and for the error, are you parsing json anywhere on the host for this?
actually you're missing a few flags
--enroll_tls_endpoint=/api/v1/osquery/enroll
--config_plugin=tls
--config_tls_endpoint=/api/v1/osquery/configd
dlachmann
06/07/2019, 4:15 PM.\osqueryd.exe --enroll_secret_env=Tnr/Tl0zB2vySH9x1DEIcA4kS0cXw5yI
--tls_hostname=x.x.x.x:8080
--tls_server_certs=C:\ProgramData\osquery\certs\x.x.x.x_8080.pem
--verbose
--host_identifier=HOST-27
--config_tls_refresh=10
--disable_distributed=false
--distributed_plugin=tls
--distributed_interval=3
--distributed_tls_max_attempts=3
--enroll_tls_endpoint=/api/v1/osquery/enroll
--config_plugin=tls
--config_tls_endpoint=/api/v1/osquery/config
Command with the new flags
Failed enrollment request to https://192.168.2.183:8080/api/v1/osquery/enroll (No node key returned from TLS enroll plugin) retrying...
^ New error message
t
Tim
06/07/2019, 4:57 PMI haven't used the enroll_secret_env flag, I use the enroll_secret_path one but your secret might be getting passed wrong. Try adding
--verbose--tls_dumpd
dlachmann
06/07/2019, 5:00 PM{
"error": "invalid enroll secret",
"node_invalid": true
}I'll try doing enroll_secret_path
t
Tim
06/07/2019, 5:01 PMtry copying just your enroll secret, placing it in a file, then adding the
--enroll_secret_path=C:\PATH\TO\FILEd
dlachmann
06/07/2019, 5:06 PMWorking!!! Awesome, thank you so much
Another question though, this will only work when I run it it command line, right?
t
Tim
06/07/2019, 5:10 PMNp, and that depends. If you put a flagfile with all this in it in the default path for the service flagfile then it will work whenever the osqueryd service starts. Or you could alter the default osqueryd service and point it to wherever you want for a flagfile.
d
dlachmann
06/07/2019, 5:34 PMSo I got osquery to connect to fleet with a flagfile I created and specified when running osqueryi.exe --flagfile=<FLAGFILE>
Unsure as to how to point it at the flag file when running it as a windows service though
Nevermind! I read your last message a bit closer and understood
Thanks so much for your help!
👍 1
❤️