Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
t
Tim
05/13/2019, 3:57 PMQuick question, is the numerical ID hosts are identified with in Kolide (the one needed to be sent to the API to do a delete command) supposed to increment by 1 when new hosts are added?
z
zwass
05/13/2019, 4:02 PMyes
t
Tim
05/13/2019, 4:11 PMok, I have some systems that have normalish numbers like 28, 57 and so on. After doing some testing with sending Delete commands and accidentally sending some high number host IDs, my new host IDs are in the 100,000 range. I've never had this many hosts connect and was trying to figure out why the ID is so high now.
z
zwass
05/13/2019, 4:35 PMI’m not sure this will have any negative effects, but I am curious to explore. Can you document what you know in a GitHub issue please?
t
Tim
06/06/2019, 10:51 PMSorry for the delay but I finally just opened an issue for this
https://github.com/kolide/fleet/issues/2059
Hey Zach I'm looking for a quick fix to reset my host ID issue. In theory would deleting the "hosts" table from my DB force kolide to make a new table and start the host ID back to 1?
z
zwass
06/26/2019, 3:36 PMHey Tim, I would not advise doing that. Fleet will not automatically recreate the table. It's not clear to me why you're seeing the behavior you are, and I'm not able to reproduce it. Do you believe it is causing problems for you?
t
Tim
06/26/2019, 10:46 PMRight now it is not causing any problems but my highest ID is 7530599 right now and I am going to have thousands more hosts checking in within a few weeks. From what I saw in the DB the highest number it can handle is 4294967295. If Fleet won't recreate the table would truncating the table work? Since osqueryd is running on all the hosts with the appropriate flags file I'm thinking they would all just check in again and get a new ID. Also, I've been looking into the DB deeper and noticed the big jump in IDs happens with each new date. Here's some of my hosts table with IDs and created_at.
mysql> select id,created_at from hosts count ;
+---------+---------------------+
| id | created_at |
+---------+---------------------+
| 9 | 2019-04-12 22:19:06 |
| 171 | 2019-05-09 17:39:30 |
| 224 | 2019-05-09 17:42:14 |
| 226 | 2019-05-09 17:42:14 |
| 228 | 2019-05-09 17:42:16 |
| 251 | 2019-05-09 17:43:22 |
| 254 | 2019-05-09 17:43:25 |
| 264 | 2019-05-09 17:43:34 |
| 794 | 2019-05-09 18:11:26 |
| 33727 | 2019-05-10 15:14:35 |
| 33734 | 2019-05-10 15:14:46 |
| 33735 | 2019-05-10 15:14:46 |
| 33742 | 2019-05-10 15:14:55 |
| 143650 | 2019-05-13 13:09:00 |
| 171565 | 2019-05-13 19:02:03 |z
zwass
06/27/2019, 12:00 AMAre you seeing this kind of jump in any other tables?
t
Tim
06/28/2019, 4:15 PMit doesn't seem to be happening in other tables. When I add a new user their ID increments by one.
turned on some logging for the DB and say this INSERT line show up a ton, which explains the increment for new hosts being much higher than exepected.
1561764009535540,kolide-osquery,kolide_user,10.179.135.46,528065,2686921774,QUERY,kolide,'INSERT INTO hosts ( detail_update_time, osquery_host_id, seen_time, node_key ) VALUES (?, ?, ?, ?) ON DUPLICATE KEY UPDATE node_key = VALUES(node_key), deleted = FALSE',0so after thinking about what could be causing fleet to be trying to make entries I came across a couple IP's contacting the server and then getting the below error.
{
"component": "http",
"err": "authentication error: invalid node key: WTf9lH6ZQFe310M49TMlZi+GE/T2fsPS",
"ts": "2019-06-29T00:54:18.454937871Z"
}