Howdy, folks. Anyone around who could help me out ...
# kolided
dlachmann
06/06/2019, 6:56 PMHowdy, folks. Anyone around who could help me out with enrolling a windows endpoint with fleet?
t
Tim
06/06/2019, 9:27 PMI might be able to help out. What issues are you running into?
d
dlachmann
06/07/2019, 12:44 PM@Tim I'm trying to enroll my Windows machine with the tls plugin, however I'm getting an error message
dlachmann
06/07/2019, 12:45 PMHere's my command:
.\osqueryd.exe
--enroll_secret_env=Tnr/xxxxxxxxx
--enroll_tls_endpoint=x.x.x.x:8080
--tls_server_certs=C:\ProgramData\osquery\certs\x.x.x.x_8080.pem
--verbose
--host_identifier=HOST-27
--config_tls_refresh=10
--disable_distributed=false
--distributed_plugin=tls
--distributed_interval=3
--distributed_tls_max_attempts=3
dlachmann
06/07/2019, 12:49 PMHere's what I'm seeing:
I0607 084228.572372 2504 tls.cpp:240] TLS/HTTPS POST request to URI: https://x.x.x.x:8080
dlachmann
06/07/2019, 12:49 PMW0607 084229.052740 2504 tls_enroll.cpp:67] Failed enrollment request to https://x.x.x.x:8080 (Cannot parse JSON: Invalid value. Offset: 0) retrying...
t
Tim
06/07/2019, 3:08 PMIS your server running ok? IS there a different host with that identifier? Maybe try it without specifying a host identifier.
Tim
06/07/2019, 3:08 PMoh and for the error, are you parsing json anywhere on the host for this?
Tim
06/07/2019, 3:21 PMactually you're missing a few flags
Copy code
--enroll_tls_endpoint=/api/v1/osquery/enroll
--config_plugin=tls
--config_tls_endpoint=/api/v1/osquery/configd
dlachmann
06/07/2019, 4:15 PM.\osqueryd.exe --enroll_secret_env=Tnr/Tl0zB2vySH9x1DEIcA4kS0cXw5yI
--tls_hostname=x.x.x.x:8080
--tls_server_certs=C:\ProgramData\osquery\certs\x.x.x.x_8080.pem
--verbose
--host_identifier=HOST-27
--config_tls_refresh=10
--disable_distributed=false
--distributed_plugin=tls
--distributed_interval=3
--distributed_tls_max_attempts=3
--enroll_tls_endpoint=/api/v1/osquery/enroll
--config_plugin=tls
--config_tls_endpoint=/api/v1/osquery/config
dlachmann
06/07/2019, 4:15 PMCommand with the new flags
dlachmann
06/07/2019, 4:16 PMFailed enrollment request to https://192.168.2.183:8080/api/v1/osquery/enroll (No node key returned from TLS enroll plugin) retrying...
dlachmann
06/07/2019, 4:16 PM^ New error message
t
Tim
06/07/2019, 4:57 PMI haven't used the enroll_secret_env flag, I use the enroll_secret_path one but your secret might be getting passed wrong. Try adding
Copy code
--verbose Copy code
--tls_dumpd
dlachmann
06/07/2019, 5:00 PM Copy code
{
"error": "invalid enroll secret",
"node_invalid": true
}dlachmann
06/07/2019, 5:01 PMI'll try doing enroll_secret_path
t
Tim
06/07/2019, 5:01 PMtry copying just your enroll secret, placing it in a file, then adding the
Copy code
--enroll_secret_path=C:\PATH\TO\FILEd
dlachmann
06/07/2019, 5:06 PMWorking!!! Awesome, thank you so much
dlachmann
06/07/2019, 5:07 PMAnother question though, this will only work when I run it it command line, right?
t
Tim
06/07/2019, 5:10 PMNp, and that depends. If you put a flagfile with all this in it in the default path for the service flagfile then it will work whenever the osqueryd service starts. Or you could alter the default osqueryd service and point it to wherever you want for a flagfile.
d
dlachmann
06/07/2019, 5:34 PMSo I got osquery to connect to fleet with a flagfile I created and specified when running osqueryi.exe --flagfile=<FLAGFILE>
dlachmann
06/07/2019, 5:35 PMUnsure as to how to point it at the flag file when running it as a windows service though
dlachmann
06/07/2019, 5:37 PMNevermind! I read your last message a bit closer and understood
dlachmann
06/07/2019, 5:37 PMThanks so much for your help!
👍 1
dlachmann
06/07/2019, 5:38 PM❤️
14 Views