Channels
#kolide
Title
# kolide
a
austinylin
04/20/2019, 2:43 AMfairly sure I'm doing something stupid, but have fleet setup and a client enrolled, but distributed queries don't seem to be working. Fleet shows the client as enrolled and I see results going into /tmp/osquery_results from the host. When I run a dist query, the host receives it, executes it, and says it's posting it back to the server but nothing happens in the results window.
Copy code
I0419 19:39:36.237423 71012352 distributed.cpp:119] Executing distributed query: kolide_distributed_query_1: SELECT * FROM users;
I0419 19:39:36.286029 71012352 distributed.cpp:119] Executing distributed query: kolide_distributed_query_2: SELECT * FROM users;
I0419 19:39:36.328785 71012352 distributed.cpp:119] Executing distributed query: kolide_distributed_query_3: SELECT * FROM osquery_info
I0419 19:39:36.334825 71012352 distributed.cpp:119] Executing distributed query: kolide_distributed_query_4: SELECT * FROM osquery_info;
I0419 19:39:36.336787 71012352 distributed.cpp:119] Executing distributed query: kolide_distributed_query_5: SELECT * FROM osquery_info;
I0419 19:39:36.346189 71012352 tls.cpp:240] TLS/HTTPS POST request to URI: <https://fleet.redacted/api/v1/osquery/distributed/write>
I0419 19:39:43.415841 68354048 tls.cpp:240] TLS/HTTPS POST request to URI: <https://fleet.redacted/api/v1/osquery/log>
I0419 19:39:53.478049 71012352 tls.cpp:240] TLS/HTTPS POST request to URI: <https://fleet.redacted/api/v1/osquery/distributed/write>
I0419 19:39:53.492719 68354048 tls.cpp:240] TLS/HTTPS POST request to URI: <https://fleet.redacted/api/v1/osquery/log>
I0419 19:40:03.635547 68354048 tls.cpp:240] TLS/HTTPS POST request to URI: <https://fleet.redacted/api/v1/osquery/log>
I0419 19:40:13.613971 71012352 tls.cpp:240] TLS/HTTPS POST request to URI: <https://fleet.redacted/api/v1/osquery/distributed/write>
I0419 19:40:13.692886 68354048 tls.cpp:240] TLS/HTTPS POST request to URI: <https://fleet.redacted/api/v1/osquery/log>
I0419 19:40:23.818622 68354048 tls.cpp:240] TLS/HTTPS POST request to URI: <https://fleet.redacted/api/v1/osquery/log>
I0419 19:40:33.946880 68354048 tls.cpp:240] TLS/HTTPS POST request to URI: <https://fleet.redacted/api/v1/osquery/log>
I0419 19:40:39.743857 71012352 tls.cpp:240] TLS/HTTPS POST request to URI: <https://fleet.redacted/api/v1/osquery/distributed/read>
I0419 19:40:40.005892 71012352 distributed.cpp:119] Executing distributed query: kolide_distributed_query_1: SELECT * FROM users;
I0419 19:40:40.051160 71012352 distributed.cpp:119] Executing distributed query: kolide_distributed_query_2: SELECT * FROM users;
I0419 19:40:40.094993 71012352 distributed.cpp:119] Executing distributed query: kolide_distributed_query_3: SELECT * FROM osquery_info
I0419 19:40:40.096632 71012352 distributed.cpp:119] Executing distributed query: kolide_distributed_query_4: SELECT * FROM osquery_info;
I0419 19:40:40.097954 71012352 distributed.cpp:119] Executing distributed query: kolide_distributed_query_5: SELECT * FROM osquery_info;
I0419 19:40:40.104478 71012352 tls.cpp:240] TLS/HTTPS POST request to URI: <https://fleet.redacted/api/v1/osquery/distributed/write>flags file:
Copy code
--enroll_secret_env=OSQUERY_ENROLL_SECRET
--tls_hostname=fleet.redacted
--host_identifier=uuid
--enroll_tls_endpoint=/api/v1/osquery/enroll
--config_refresh=3600
--disable_distributed=false
--distributed_plugin=tls
--distributed_interval=10
--distributed_tls_max_attempts=3
--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read
--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write
--logger_plugin=tls
--logger_tls_endpoint=/api/v1/osquery/log
--logger_tls_period=10g
groob
04/20/2019, 12:45 PM
Is redis rubbing ok?
Running
e
Eduardo
04/22/2019, 5:18 PMIs there a way to check? /healthz times out and I don't see anything in the logs
g
groob
04/22/2019, 6:28 PM
if it times out that’s disturbing
if it’s returning 500 then you have an issue with either redis or mysql
logs would show which
e
Eduardo
04/22/2019, 6:30 PMwould it have something to do with redis in cluster mode?
Figured it out. Indeed a redis issue, thanks for the help 🙂