Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
r
Reza Kazemy
12/04/2022, 10:41 AMHello everybody.
Sorry, when I installed the fleet-osquery.msi, I started to get results like "-" 400 157 "-" "-" on my Nginx Log.
Could anyone please help me get through this?
k
Kathy Satterlee
12/05/2022, 5:42 PMHi @Reza Kazemy. Can you share the full error you're seeing, as well as any corresponding errors in your Fleet server Logs?
r
Reza Kazemy
12/07/2022, 7:26 AM@Kathy Satterlee
Thank you for the reply.
Sure.
The fleet server container does not show any errors. the version is 4.20.1
the agent that I am using had been generated with fleetctl version 4.20.1.
the log of Nginx for fleet after installing the agent.
"GET /api/latest/fleet/device/%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00/desktop HTTP/1.1" 400 157 "-" "-"fleet-webgui | {"hostID":1,"level":"error","message":"distributed query is denylisted","query":"fleet_detail_query_software_windows","ts":"2022-12-07T07:24:36.580582109Z"}
fleet-webgui | {"err":"failed","level":"error","op":"directIngestSoftware","ts":"2022-12-07T07:24:36.582251321Z"}
fleet-webgui | {"component":"http","err":": Authentication required","internal":"authentication error: invalid orbit node key","level":"info","path":"/api/fleet/orbit/config","ts":"2022-12-07T07:24:37.05854835Z"}
fleet-webgui | {"component":"http","err":": Authentication required","internal":"authentication error: invalid orbit node key","level":"info","path":"/api/fleet/orbit/config","ts":"2022-12-07T07:25:07.122905616Z"}
fleet-webgui | {"component":"http","err":": Authentication required","internal":"authentication error: invalid orbit node key","level":"info","path":"/api/fleet/orbit/config","ts":"2022-12-07T07:25:37.177454183Z"}@Kathy Satterlee
Hi, Kathy. I am so sorry. did you get anything from the error code???
@Kathy Satterlee Hi Katy, I am so sorry for posting this question a lot. I am kind of in an emergency situation. I need to handle this error as soon az it possible.
Did you find anything that can help me with this error?
k
Kathy Satterlee
12/15/2022, 7:51 PMSo sorry, @Reza Kazemy! It looks like the issue is related to your host not getting a valid token from Fleet. Can you check the Fleet desktop and Orbit logs on on your host for any errors?
Orbit logs:
https://fleetdm.com/docs/using-fleet/orbit#troubleshooting
Fleet Desktop logs:
https://fleetdm.com/docs/deploying/debugging#osquery
And make sure these endpoints aren't restricted in
nginxr
Reza Kazemy
12/17/2022, 9:44 AM@Kathy Satterlee. Thank you so much. The strange things that happened on my device when I am using the agent software is that the UUID that is needed for desktop API (( first log )) and I have no idea what is happening on that proccess.
@Kathy Satterlee Here is wat I had got from orbit logs:
2022-12-17T14:57:43+03:30 INF calling flags updateI1217 14:57:44.026043 15508 interfaces.cpp:102] Failed to retrieve network statistics for interface 18I1217 14:57:44.740763 15508 interfaces.cpp:102] Failed to retrieve network statistics for interface 13I1217 14:57:45.325450 15508 interfaces.cpp:102] Failed to retrieve network statistics for interface 23I1217 14:57:45.979974 15508 interfaces.cpp:102] Failed to retrieve network statistics for interface 2I1217 14:57:46.479738 15508 interfaces.cpp:102] Failed to retrieve network statistics for interface 21I1217 14:57:47.643726 15508 interfaces.cpp:102] Failed to retrieve network statistics for interface 17I1217 14:57:48.661547 15508 interfaces.cpp:102] Failed to retrieve network statistics for interface 1I1217 14:57:49.016599 15508 interfaces.cpp:130] Failed to retrieve physical state for interface 1I1217 14:57:49.088176 15508 interfaces.cpp:157] Failed to retrieve DHCP and DNS information for interface 1I1217 14:57:49.106617 15508 interfaces.cpp:102] Failed to retrieve network statistics for interface 28I1217 14:57:49.261628 15508 interfaces.cpp:130] Failed to retrieve physical state for interface 28I1217 14:57:49.291086 15508 interfaces.cpp:157] Failed to retrieve DHCP and DNS information for interface 282022-12-17T14:58:13+03:30 INF calling flags update2022-12-17T14:58:43+03:30 INF calling flags update2022-12-17T14:59:13+03:30 INF calling flags update@Lucas Rodriguez Sorry Lucas, can you help me with this one as well???
k
Kathy Satterlee
12/19/2022, 4:47 PMReaching out to the team now. Did you have Fleet Desktop logs as well?
r
Reza Kazemy
12/19/2022, 5:19 PMHi Kathy.
2022-12-19T14:06:50+03:30 DBG successfully refetched the token from disk
2022-12-19T14:06:50+03:30 ERR get device URL error="GET /api/latest/fleet/device/\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00/desktop received status 400 unknown"
2022-12-19T14:06:55+03:30 DBG successfully refetched the token from disk
2022-12-19T14:06:55+03:30 ERR get device URL error="GET /api/latest/fleet/device/\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00/desktop received status 400 unknown"
2022-12-19T14:07:00+03:30 DBG successfully refetched the token from disk
2022-12-19T14:07:00+03:30 ERR get device URL error="GET /api/latest/fleet/device/\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00/desktop received status 400 unknown"
2022-12-19T14:07:05+03:30 DBG successfully refetched the token from disk
2022-12-19T14:07:05+03:30 ERR get device URL error="GET /api/latest/fleet/device/\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00/desktop received status 400 unknown"
2022-12-19T14:07:10+03:30 DBG successfully refetched the token from disk
2022-12-19T14:07:10+03:30 ERR get device URL error="GET /api/latest/fleet/device/\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00/desktop received status 400 unknown"
2022-12-19T14:07:13+03:30 INF Shutdown was requested!l
Lucas Rodriguez
12/19/2022, 9:41 PMHi @Reza Kazemy! Couple of questions:
1. This is a Windows host having the issues? What version?
2. Can you check the contents of
C:\Program Files\Orbit\identifier8bde4838-3f98-48a5-a60a-9a8699465564C:\Windows\System32\config\systemprofile\AppData\Local\FleetDM\Orbit\Logs\orbit-osquery.log4. What's the Orbit version? In
cmd"C:\Program Files\Orbit\bin\orbit/orbit.exe" --version
orbit 1.4.0r
Reza Kazemy
12/20/2022, 6:07 AM@Lucas Rodriguez
Sure.
Yes, this is Windows 11.
I checked the identifier file, and it is empty 😞
I checked the path on my file system for orbit. there is no orbit.exe on my device to find out the version. However, I checked the orbit node key on my system and It does exist but cannot be loaded either. I used fleetctl V4.24.0 in order to generate the software.
Thank you so much. if you need anything else please let me know.
2022-12-19T13:16:24+03:30 INF flags updates failed error="error getting flags from fleet: POST /api/fleet/orbit/config: Post \"<https://fleet.test.com:8443/api/fleet/orbit/config>\": dial tcp 127.0.0.1:8443: connectex: No connection could be made because the target machine actively refused it."
2022-12-19T13:16:54+03:30 INF calling flags update
2022-12-19T13:16:56+03:30 INF flags updates failed error="error getting flags from fleet: POST /api/fleet/orbit/config: Post \"<https://fleet.test.com:8443/api/fleet/orbit/config>\": dial tcp 127.0.0.1:8443: connectex: No connection could be made because the target machine actively refused it."
2022-12-19T13:17:26+03:30 INF calling flags update
2022-12-19T13:17:28+03:30 INF flags updates failed error="error getting flags from fleet: POST /api/fleet/orbit/config: Post \"<https://fleet.test.com:8443/api/fleet/orbit/config>\": dial tcp 127.0.0.1:8443: connectex: No connection could be made because the target machine actively refused it."
2022-12-19T13:17:58+03:30 INF calling flags update
2022-12-19T13:18:00+03:30 INF flags updates failed error="error getting flags from fleet: POST /api/fleet/orbit/config: Post \"<https://fleet.test.com:8443/api/fleet/orbit/config>\": dial tcp 127.0.0.1:8443: connectex: No connection could be made because the target machine actively refused it."
2022-12-19T13:18:30+03:30 INF calling flags update
2022-12-19T13:18:32+03:30 INF flags updates failed error="error getting flags from fleet: POST /api/fleet/orbit/config: Post \"<https://fleet.test.com:8443/api/fleet/orbit/config>\": dial tcp 127.0.0.1:8443: connectex: No connection could be made because the target machine actively refused it."
2022-12-19T13:19:02+03:30 INF calling flags update
2022-12-19T13:19:04+03:30 INF flags updates failed error="error getting flags from fleet: POST /api/fleet/orbit/config: Post \"<https://fleet.test.com:8443/api/fleet/orbit/config>\": dial tcp 127.0.0.1:8443: connectex: No connection could be made because the target machine actively refused it."
2022-12-19T13:19:34+03:30 INF calling flags update
2022-12-19T13:19:36+03:30 INF flags updates failed error="error getting flags from fleet: POST /api/fleet/orbit/config: Post \"<https://fleet.test.com:8443/api/fleet/orbit/config>\": dial tcp 127.0.0.1:8443: connectex: No connection could be made because the target machine actively refused it."
2022-12-19T13:20:06+03:30 INF calling flags update
2022-12-19T13:20:08+03:30 INF flags updates failed error="error getting flags from fleet: POST /api/fleet/orbit/config: Post \"<https://fleet.test.com:8443/api/fleet/orbit/config>\": dial tcp 127.0.0.1:8443: connectex: No connection could be made because the target machine actively refused it."
2022-12-19T13:20:38+03:30 INF calling flags update
2022-12-19T13:20:40+03:30 INF flags updates failed error="error getting flags from fleet: POST /api/fleet/orbit/config: Post \"<https://fleet.test.com:8443/api/fleet/orbit/config>\": dial tcp 127.0.0.1:8443: connectex: No connection could be made because the target machine actively refused it."
2022-12-19T13:21:06+03:30 ERR pinging the server error="HEAD /api/fleet/orbit/ping: Head \"<https://fleet.test.com:8443/api/fleet/orbit/ping>\": dial tcp 127.0.0.1:8443: connectex: No connection could be made because the target machine actively refused it."
2022-12-19T13:21:10+03:30 INF calling flags update
2022-12-19T13:21:13+03:30 INF flags updates failed error="error getting flags from fleet: POST /api/fleet/orbit/config: Post \"<https://fleet.test.com:8443/api/fleet/orbit/config>\": dial tcp 127.0.0.1:8443: connectex: No connection could be made because the target machine actively refused it."
2022-12-19T13:21:43+03:30 INF calling flags update
2022-12-19T13:21:45+03:30 INF flags updates failed error="error getting flags from fleet: POST /api/fleet/orbit/config: Post \"<https://fleet.test.com:8443/api/fleet/orbit/config>\": dial tcp 127.0.0.1:8443: connectex: No connection could be made because the target machine actively refused it."
2022-12-19T13:22:15+03:30 INF calling flags update
2022-12-19T13:22:17+03:30 INF flags updates failed error="error getting flags from fleet: POST /api/fleet/orbit/config: Post \"<https://fleet.test.com:8443/api/fleet/orbit/config>\": dial tcp 127.0.0.1:8443: connectex: No connection could be made because the target machine actively refused it."
2022-12-19T13:22:47+03:30 INF calling flags update
2022-12-19T13:22:49+03:30 INF flags updates failed error="error getting flags from fleet: POST /api/fleet/orbit/config: Post \"<https://fleet.test.com:8443/api/fleet/orbit/config>\": dial tcp 127.0.0.1:8443: connectex: No connection could be made because the target machine actively refused it."
2022-12-19T13:23:19+03:30 INF calling flags update
2022-12-19T13:23:21+03:30 INF flags updates failed error="error getting flags from fleet: POST /api/fleet/orbit/config: Post \"<https://fleet.test.com:8443/api/fleet/orbit/config>\": dial tcp 127.0.0.1:8443: connectex: No connection could be made because the target machine actively refused it."
2022-12-19T13:23:51+03:30 INF calling flags update
2022-12-19T13:23:53+03:30 INF flags updates failed error="error getting flags from fleet: POST /api/fleet/orbit/config: Post \"<https://fleet.test.com:8443/api/fleet/orbit/config>\": dial tcp 127.0.0.1:8443: connectex: No connection could be made because the target machine actively refused it."
2022-12-19T13:24:23+03:30 INF calling flags update
2022-12-19T13:24:25+03:30 INF flags updates failed error="error getting flags from fleet: POST /api/fleet/orbit/config: Post \"<https://fleet.test.com:8443/api/fleet/orbit/config>\": dial tcp 127.0.0.1:8443: connectex: No connection could be made because the target machine actively refused it."
2022-12-19T13:24:55+03:30 INF calling flags update
2022-12-19T13:24:57+03:30 INF flags updates failed error="error getting flags from fleet: POST /api/fleet/orbit/config: Post \"<https://fleet.test.com:8443/api/fleet/orbit/config>\": dial tcp 127.0.0.1:8443: connectex: No connection could be made because the target machine actively refused it."
2022-12-19T13:25:27+03:30 INF calling flags update
2022-12-19T13:25:29+03:30 INF flags updates failed error="error getting flags from fleet: POST /api/fleet/orbit/config: Post \"<https://fleet.test.com:8443/api/fleet/orbit/config>\": dial tcp 127.0.0.1:8443: connectex: No connection could be made because the target machine actively refused it."
2022-12-19T13:25:59+03:30 INF calling flags update
2022-12-19T13:26:01+03:30 INF flags updates failed error="error getting flags from fleet: POST /api/fleet/orbit/config: Post \"<https://fleet.test.com:8443/api/fleet/orbit/config>\": dial tcp 127.0.0.1:8443: connectex: No connection could be made because the target machine actively refused it."
2022-12-19T13:26:06+03:30 ERR pinging the server error="HEAD /api/fleet/orbit/ping: Head \"<https://fleet.test.com:8443/api/fleet/orbit/ping>\": dial tcp 127.0.0.1:8443: connectex: No connection could be made because the target machine actively refused it."
2022-12-19T13:26:31+03:30 INF calling flags update
2022-12-19T13:26:33+03:30 INF flags updates failed error="error getting flags from fleet: POST /api/fleet/orbit/config: Post \"<https://fleet.test.com:8443/api/fleet/orbit/config>\": dial tcp 127.0.0.1:8443: connectex: No connection could be made because the target machine actively refused it."
2022-12-19T13:27:03+03:30 INF calling flags update
2022-12-19T13:27:05+03:30 INF flags updates failed error="error getting flags from fleet: POST /api/fleet/orbit/config: Post \"<https://fleet.test.com:8443/api/fleet/orbit/config>\": dial tcp 127.0.0.1:8443: connectex: No connection could be made because the target machine actively refused it."
2022-12-19T13:27:35+03:30 INF calling flags update
2022-12-19T13:27:37+03:30 INF flags updates failed error="error getting flags from fleet: POST /api/fleet/orbit/config: Post \"<https://fleet.test.com:8443/api/fleet/orbit/config>\": dial tcp 127.0.0.1:8443: connectex: No connection could be made because the target machine actively refused it."
2022-12-19T13:28:07+03:30 INF calling flags update
2022-12-19T13:28:09+03:30 INF flags updates failed error="error getting flags from fleet: POST /api/fleet/orbit/config: Post \"<https://fleet.test.com:8443/api/fleet/orbit/config>\": dial tcp 127.0.0.1:8443: connectex: No connection could be made because the target machine actively refused it."
2022-12-19T13:28:39+03:30 INF calling flags update
2022-12-19T13:28:41+03:30 INF flags updates failed error="error getting flags from fleet: POST /api/fleet/orbit/config: Post \"<https://fleet.test.com:8443/api/fleet/orbit/config>\": dial tcp 127.0.0.1:8443: connectex: No connection could be made because the target machine actively refused it."
2022-12-19T13:29:11+03:30 INF calling flags update
2022-12-19T13:29:13+03:30 INF flags updates failed error="error getting flags from fleet: POST /api/fleet/orbit/config: Post \"<https://fleet.test.com:8443/api/fleet/orbit/config>\": dial tcp 127.0.0.1:8443: connectex: No connection could be made because the target machine actively refused it."
2022-12-19T13:29:43+03:30 INF calling flags update
2022-12-19T13:29:45+03:30 INF flags updates failed error="error getting flags from fleet: POST /api/fleet/orbit/config: Post \"<https://fleet.test.com:8443/api/fleet/orbit/config>\": dial tcp 127.0.0.1:8443: connectex: No connection could be made because the target machine actively refused it."
2022-12-19T13:30:15+03:30 INF calling flags update
2022-12-19T13:30:17+03:30 INF flags updates failed error="error getting flags from fleet: POST /api/fleet/orbit/config: Post \"<https://fleet.test.com:8443/api/fleet/orbit/config>\": dial tcp 127.0.0.1:8443: connectex: No connection could be made because the target machine actively refused it."
2022-12-19T13:30:47+03:30 INF calling flags update
2022-12-19T13:30:47+03:30 INF flags updates failed error="error getting flags from fleet: The resource was not found"
W1219 13:31:08.553850 7180 options.cpp:106] The CLI only flag --logger_plugin set via config file will be ignored, please use a flagfile or pass it to the process at startup
I1219 13:31:10.873294 7180 config.cpp:908] Calling configure for logger tls
I1219 13:31:10.873294 7180 config.cpp:908] Calling configure for logger filesystem
2022-12-19T13:31:17+03:30 INF calling flags update
2022-12-19T13:31:17+03:30 INF flags updates failed error="error getting flags from fleet: The resource was not found"
2022-12-19T13:31:47+03:30 INF calling flags update
2022-12-19T13:31:47+03:30 INF flags updates failed error="error getting flags from fleet: The resource was not found"
2022-12-19T13:32:17+03:30 INF calling flags update
2022-12-19T13:32:17+03:30 INF flags updates failed error="error getting flags from fleet: The resource was not found"
2022-12-19T13:32:47+03:30 INF calling flags update
2022-12-19T13:32:48+03:30 INF flags updates failed error="error getting flags from fleet: The resource was not found"
2022-12-19T13:33:18+03:30 INF calling flags update
2022-12-19T13:33:18+03:30 INF flags updates failed error="error getting flags from fleet: The resource was not found"I had to mention that. I am using WSL (Ubuntu) in order to generate the software. because I am using Linux env for my development tasks.
I am curious if it is going to cause any problems or not.
@Lucas Rodriguez
l
Lucas Rodriguez
12/20/2022, 8:52 PMI had to mention that. I am using WSL (Ubuntu) in order to generate the software. because I am using Linux env for my development tasks.
I am curious if it is going to cause any problems or not.Should not cause any issues.
2022-12-19T13:33:18+03:30 INF flags updates failed error="error getting flags from fleet: The resource was not found"This is expected because your Fleet server version does not support this feature (was added in 4.21.0).
Sorry, when I installed the fleet-osquery.msi, I started to get results like "-" 400 157 "-" "-" on my Nginx Log.So, related to the above log, these 400s are expected, and should go away if you upgrade to 4.21.0 or higher. However...
I checked the identifier file, and it is emptyThis one is unexpected... should not be empty...
r
Reza Kazemy
12/21/2022, 8:15 AM@Lucas Rodriguez
@Kathy Satterlee
Thank you for your help.
I changed the version of the Fleetctl and fleet docker image to 4.21.0. and I deleted all the files which had been generated before for osquery and orbit on my file system. Now I am getting a valid identifier for my desktop and steel I cannot Open the fleet desktop tab on my browser because the keeps showing connecting on my taskbar.
2022-12-21T11:28:05+03:30 INF calling flags update
2022-12-21T11:28:35+03:30 INF calling flags update
2022-12-21T11:29:05+03:30 INF calling flags update
2022-12-21T11:29:35+03:30 INF calling flags update
2022-12-21T11:30:05+03:30 INF calling flags update
2022-12-21T11:30:26+03:30 INF orbit_endpoints capability changed, restarting
2022-12-21T11:30:31+03:30 INF running with auto updates disabled
2022-12-21T11:30:31+03:30 INF Failed to connect to Fleet server. Osquery connection may fail. error="dial for validate: verify certificate: x509: certificate is not valid for any names, but wanted to match <http://fleet.test.com|fleet.test.com>"
2022-12-21T11:30:31+03:30 INF killing any pre-existing fleet-desktop instances
2022-12-21T11:30:31+03:30 INF start osqueryd cmd="C:\\Program Files\\Orbit\\bin\\osqueryd\\windows\\stable\\osqueryd.exe --pidfile=C:\\Program Files\\Orbit\\osquery.pid --database_path=C:\\Program Files\\Orbit\\osquery.db --extensions_socket=\\\\.\\pipe\\orbit-osquery-extension --logger_path=C:\\Program Files\\Orbit\\osquery_log --enroll_secret_env ENROLL_SECRET --host_identifier=uuid --tls_hostname=localhost:60189 --enroll_tls_endpoint=/api/v1/osquery/enroll --config_plugin=tls --config_tls_endpoint=/api/v1/osquery/config --config_refresh=60 --disable_distributed=false --distributed_plugin=tls --distributed_tls_max_attempts=10 --distributed_tls_read_endpoint=/api/v1/osquery/distributed/read --distributed_tls_write_endpoint=/api/v1/osquery/distributed/write --logger_plugin=tls,filesystem --logger_tls_endpoint=/api/v1/osquery/log --disable_carver=false --carver_disable_function=false --carver_start_endpoint=/api/v1/osquery/carve/begin --carver_continue_endpoint=/api/v1/osquery/carve/block --carver_block_size=2000000 --tls_server_certs C:\\Program Files\\Orbit\\proxy\\fleet.crt --force --flagfile C:\\Program Files\\Orbit\\osquery.flags"
2022-12-21T11:30:31+03:30 INF using insecure TLS proxy addr=localhost:60189 target=<https://fleet.test.com:8443/>
2022-12-21T11:30:31+03:30 INF opening path="C:\\Program Files\\Orbit\\bin\\desktop\\windows\\stable\\fleet-desktop.exe"
I1221 11:30:31.632803 16908 interface.cpp:137] Registering extension (com.fleetdm.orbit.osquery_extension.v1, 9283, version=, sdk=)
I1221 11:30:35.637126 9452 eventfactory.cpp:156] Event publisher not enabled: ntfs_event_publisher: NTFS event publisher disabled via configuration
2022-12-21T11:31:01+03:30 INF calling flags update
2022-12-21T11:31:31+03:30 INF calling flags update
2022-12-21T11:40:03+03:30 INF calling flags update
2022-12-21T11:40:33+03:30 INF calling flags update
2022-12-21T11:41:03+03:30 INF calling flags update
2022-12-21T11:41:33+03:30 INF calling flags update
2022-12-21T11:42:03+03:30 INF calling flags update
2022-12-21T11:42:33+03:30 INF calling flags update
2022-12-21T11:43:03+03:30 INF calling flags update
2022-12-21T11:43:33+03:30 INF calling flags update
2022-12-21T11:44:03+03:30 INF calling flags update
2022-12-21T11:44:33+03:30 INF calling flags update
2022-12-21T11:45:03+03:30 INF calling flags update
2022-12-21T11:45:33+03:30 INF calling flags update
2022-12-21T11:46:03+03:30 INF calling flags updatel
Lucas Rodriguez
12/21/2022, 7:39 PMNow I am getting a valid identifier for my desktop and steel I cannot Open the fleet desktop tab on my browser because the keeps showing connecting on my taskbar.1. What do you mean by "valid identifier for my desktop"? 2. Now that you've upgraded and restored, please can you check
%LocalAppData%/Fleet/fleet-desktop.log@Reza Kazemy 👆
r
Reza Kazemy
12/22/2022, 5:31 AMYou had asked me for an identifier file content if it had a valid UUID and, I said it is empty.
Now it has a valid UUID.
Sure.
ERR get device URL error="unauthenticated, or invalid token"
2022-12-21T10:13:37+03:30 DBG successfully refetched the token from disk
2022-12-21T10:13:37+03:30 ERR get device URL error="decode GET /api/latest/fleet/device/64a0baf1-2409-4e2c-a98b-9f9ae1a8256d/desktop response: json: cannot unmarshal object into Go struct field fleetDesktopResponse.error of type error"
2022-12-21T10:13:42+03:30 DBG successfully refetched the token from disk
2022-12-21T10:13:42+03:30 ERR get device URL error="decode GET /api/latest/fleet/device/64a0baf1-2409-4e2c-a98b-9f9ae1a8256d/desktop response: json: cannot unmarshal object into Go struct field fleetDesktopResponse.error of type error"
2022-12-21T10:13:47+03:30 DBG successfully refetched the token from disk
2022-12-21T10:13:47+03:30 ERR get device URL error="decode GET /api/latest/fleet/device/64a0baf1-2409-4e2c-a98b-9f9ae1a8256d/desktop response: json: cannot unmarshal object into Go struct field fleetDesktopResponse.error of type error"
2022-12-21T10:13:52+03:30 DBG successfully refetched the token from disk
2022-12-21T10:13:52+03:30 ERR get device URL error="decode GET /api/latest/fleet/device/64a0baf1-2409-4e2c-a98b-9f9ae1a8256d/desktop response: json: cannot unmarshal object into Go struct field fleetDesktopResponse.error of type error"
2022-12-21T10:13:57+03:30 DBG successfully refetched the token from disk
2022-12-21T10:13:57+03:30 ERR get device URL error="decode GET /api/latest/fleet/device/64a0baf1-2409-4e2c-a98b-9f9ae1a8256d/desktop response: json: cannot unmarshal object into Go struct field fleetDesktopResponse.error of type error"
2022-12-21T10:14:02+03:30 DBG successfully refetched the token from disk
2022-12-21T10:14:02+03:30 ERR get device URL error="decode GET /api/latest/fleet/device/64a0baf1-2409-4e2c-a98b-9f9ae1a8256d/desktop response: json: cannot unmarshal object into Go struct field fleetDesktopResponse.error of type error"
2022-12-21T10:14:07+03:30 DBG successfully refetched the token from disk
2022-12-21T10:14:07+03:30 ERR get device URL error="decode GET /api/latest/fleet/device/64a0baf1-2409-4e2c-a98b-9f9ae1a8256d/desktop response: json: cannot unmarshal object into Go struct field fleetDesktopResponse.error of type error"
2022-12-21T10:14:12+03:30 DBG successfully refetched the token from disk
2022-12-21T10:14:12+03:30 ERR get device URL error="decode GET /api/latest/fleet/device/64a0baf1-2409-4e2c-a98b-9f9ae1a8256d/desktop response: json: cannot unmarshal object into Go struct field fleetDesktopResponse.error of type error"
2022-12-21T10:14:17+03:30 DBG successfully refetched the token from disk
2022-12-21T10:14:17+03:30 ERR get device URL error="decode GET /api/latest/fleet/device/64a0baf1-2409-4e2c-a98b-9f9ae1a8256d/desktop response: json: cannot unmarshal object into Go struct field fleetDesktopResponse.error of type error"
2022-12-21T10:14:22+03:30 DBG successfully refetched the token from disk
2022-12-21T10:14:22+03:30 ERR get device URL error="decode GET /api/latest/fleet/device/64a0baf1-2409-4e2c-a98b-9f9ae1a8256d/desktop response: json: cannot unmarshal object into Go struct field fleetDesktopResponse.error of type error"
2022-12-21T10:14:27+03:30 DBG successfully refetched the token from disk
2022-12-21T10:14:27+03:30 ERR get device URL error="decode GET /api/latest/fleet/device/64a0baf1-2409-4e2c-a98b-9f9ae1a8256d/desktop response: json: cannot unmarshal object into Go struct field fleetDesktopResponse.error of type error"
2022-12-21T10:14:32+03:30 DBG successfully refetched the token from disk
2022-12-21T10:14:32+03:30 ERR get device URL error="decode GET /api/latest/fleet/device/64a0baf1-2409-4e2c-a98b-9f9ae1a8256d/desktop response: json: cannot unmarshal object into Go struct field fleetDesktopResponse.error of type error"
2022-12-21T10:14:37+03:30 DBG successfully refetched the token from disk
2022-12-21T10:14:37+03:30 ERR get device URL error="decode GET /api/latest/fleet/device/64a0baf1-2409-4e2c-a98b-9f9ae1a8256d/desktop response: json: cannot unmarshal object into Go struct field fleetDesktopResponse.error of type error"
2022-12-21T10:14:42+03:30 DBG successfully refetched the token from disk
2022-12-21T10:14:42+03:30 ERR get device URL error="decode GET /api/latest/fleet/device/64a0baf1-2409-4e2c-a98b-9f9ae1a8256d/desktop response: json: cannot unmarshal object into Go struct field fleetDesktopResponse.error of type error"
2022-12-21T10:14:47+03:30 DBG successfully refetched the token from disk
2022-12-21T10:14:47+03:30 ERR get device URL error="decode GET /api/latest/fleet/device/64a0baf1-2409-4e2c-a98b-9f9ae1a8256d/desktop response: json: cannot unmarshal object into Go struct field fleetDesktopResponse.error of type error"
2022-12-21T10:14:52+03:30 DBG successfully refetched the token from disk
2022-12-21T10:14:52+03:30 ERR get device URL error="decode GET /api/latest/fleet/device/64a0baf1-2409-4e2c-a98b-9f9ae1a8256d/desktop response: json: cannot unmarshal object into Go struct field fleetDesktopResponse.error of type error"
2022-12-21T10:14:57+03:30 DBG successfully refetched the token from disk
2022-12-21T10:14:57+03:30 ERR get device URL error="decode GET /api/latest/fleet/device/64a0baf1-2409-4e2c-a98b-9f9ae1a8256d/desktop response: json: cannot unmarshal object into Go struct field fleetDesktopResponse.error of type error"
2022-12-21T10:15:02+03:30 DBG successfully refetched the token from disk
2022-12-21T10:15:02+03:30 ERR get device URL error="decode GET /api/latest/fleet/device/64a0baf1-2409-4e2c-a98b-9f9ae1a8256d/desktop response: json: cannot unmarshal object into Go struct field fleetDesktopResponse.error of type error"
2022-12-21T10:15:07+03:30 DBG successfully refetched the token from disk
2022-12-21T10:15:07+03:30 ERR get device URL error="decode GET /api/latest/fleet/device/64a0baf1-2409-4e2c-a98b-9f9ae1a8256d/desktop response: json: cannot unmarshal object into Go struct field fleetDesktopResponse.error of type error"
2022-12-21T10:15:12+03:30 DBG successfully refetched the token from disk
2022-12-21T10:15:12+03:30 ERR get device URL error="decode GET /api/latest/fleet/device/64a0baf1-2409-4e2c-a98b-9f9ae1a8256d/desktop response: json: cannot unmarshal object into Go struct field fleetDesktopResponse.error of type error"
2022-12-21T10:15:17+03:30 DBG successfully refetched the token from disk
2022-12-21T10:15:17+03:30 ERR get device URL error="decode GET /api/latest/fleet/device/64a0baf1-2409-4e2c-a98b-9f9ae1a8256d/desktop response: json: cannot unmarshal object into Go struct field fleetDesktopResponse.error of type error"
2022-12-21T10:15:22+03:30 DBG successfully refetched the token from disk
2022-12-21T10:15:22+03:30 ERR get device URL error="decode GET /api/latest/fleet/device/64a0baf1-2409-4e2c-a98b-9f9ae1a8256d/desktop response: json: cannot unmarshal object into Go struct field fleetDesktopResponse.error of type error"
2022-12-21T10:15:27+03:30 DBG successfully refetched the token from disk
2022-12-21T10:15:27+03:30 ERR get device URL error="decode GET /api/latest/fleet/device/64a0baf1-2409-4e2c-a98b-9f9ae1a8256d/desktop response: json: cannot unmarshal object into Go struct field fleetDesktopResponse.error of type error"
2022-12-21T10:15:32+03:30 DBG successfully refetched the token from diskl
Lucas Rodriguez
12/22/2022, 10:00 AM@Reza Kazemy OK cool. Sorry for the back and forth.
Now the request from Orbit is well formed, but the server response seems to be invalid.
Does your deployment have a proxy/server between Orbit and the Fleet Server? (Something like nginx)
r
Reza Kazemy
12/22/2022, 10:06 AM@Lucas Rodriguez
No problem my friend.
actually, I am using Nginx in order to redirect the requests to the fleet container.
between orbit and fleet server I do not think so.
However, let me send you my Nginx configuration. maybe it would help you.
server {
listen 443 ssl;
server_name <http://fleet.test.com|fleet.test.com>;
# Increase POST body size
client_max_body_size 300M;
# TLS
ssl_certificate /etc/nginx/tls/fleet.crt;
ssl_certificate_key /etc/nginx/tls/fleet.key;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
###########################################################################################################################################################
# fleet web server
###########################################################################################################################################################
location ~/ {
proxy_pass <http://fleet:8080>;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
location ~/api/v1/fleet {
grpc_pass <grpc://fleet:8080>;
grpc_set_header Host $host;
grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_buffering off;
}
location ~/api/v1/osquery {
grpc_pass <grpc://fleet:8080>;
grpc_set_header Host $host;
grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_buffering off;
}
}l
Lucas Rodriguez
12/22/2022, 10:12 AMFirst, let's try the following:
Go to your Fleet Desktop logs again. Grab the most recent error log, e.g. from your last error dump in this thread:
2022-12-21T10:15:27+03:30 ERR get device URL error="decode GET /api/latest/fleet/device/64a0baf1-2409-4e2c-a98b-9f9ae1a8256d/desktop response: json: cannot unmarshal object into Go struct field fleetDesktopResponse.error of type error"https://<YOUR FLEET ADDRESS HERE>/api/latest/fleet/device/64a0baf1-2409-4e2c-a98b-9f9ae1a8256d/desktop(The token rotates, hence do not use the URL above, you'll need to check the logs again and grab the latest error ^)
From looking at your nginx config, you will need to add an entry for
~/api/latest/fleetlocation ~/api/v1/fleet {r
Reza Kazemy
12/22/2022, 10:51 AM@Lucas Rodriguez
Here is the error that you had asked.
sure let me try adding this location path as well. I will tell you the result. Thank you so much for you help.
2022-12-22T14:20:27+03:30 ERR get device URL error="decode GET /api/latest/fleet/device/64a0baf1-2409-4e2c-a98b-9f9ae1a8256d/desktop response: json: cannot unmarshal object into Go struct field fleetDesktopResponse.error of type error"@Lucas Rodriguez
I added the location path as you said. However it is still not woriking.
the latest error:
2022-12-22T14:25:07+03:30 DBG successfully refetched the token from disk
2022-12-22T14:25:07+03:30 ERR get device URL error="decode GET /api/latest/fleet/device/64a0baf1-2409-4e2c-a98b-9f9ae1a8256d/desktop response: json: cannot unmarshal object into Go struct field fleetDesktopResponse.error of type error"
2022-12-22T14:25:12+03:30 DBG successfully refetched the token from disk
2022-12-22T14:25:12+03:30 ERR get device URL error="decode GET /api/latest/fleet/device/64a0baf1-2409-4e2c-a98b-9f9ae1a8256d/desktop response: json: cannot unmarshal object into Go struct field fleetDesktopResponse.error of type error"l
Lucas Rodriguez
12/22/2022, 11:05 AMOK, try visiting
https://<FLEET_SERVER>/api/latest/fleet/device/64a0baf1-2409-4e2c-a98b-9f9ae1a8256d/desktop@Reza Kazemy 👆
r
Reza Kazemy
12/25/2022, 9:30 AMHi @Lucas Rodriguez
Sorry. It has the same error as before.
I even tried to change the request protocol from grpc to http but it is not working again. the error says there is something wrong with the JSON response. How could it happen? all the versions are matched and nothing is wrong with my request now because I have 200 response codes in my Nginx logs.
see:
fleet-nginx | 172.23.0.1 - - [25/Dec/2022:09:15:50 +0000] "POST /api/v1/osquery/distributed/read HTTP/1.1" 200 64 "-" "osquery/5.6.0"
fleet-nginx | 172.23.0.1 - - [25/Dec/2022:09:15:51 +0000] "POST /api/fleet/orbit/config HTTP/1.1" 200 3 "-" "Go-http-client/1.1"
fleet-nginx | 172.23.0.1 - - [25/Dec/2022:09:15:55 +0000] "GET /api/latest/fleet/device/64a0baf1-2409-4e2c-a98b-9f9ae1a8256d/desktop HTTP/1.1" 200 18 "-" "Go-http-client/1.1"the response of
https://<FLEET_SERVER>/api/latest/fleet/device/64a0baf1-2409-4e2c-a98b-9f9ae1a8256d/desktopl
Lucas Rodriguez
12/26/2022, 6:18 PMHi @Reza Kazemy! You are now seeing a bug of 4.22.0 that was fixed in 4.22.1 (see the release notes). Can you upgrade and try again?
r
Reza Kazemy
12/28/2022, 5:18 AMsure,
I will upgrade the version and, inform you about the result.
@Lucas Rodriguez
@Lucas Rodriguez Hi my friend.
I still had the same error as before.
2022-12-22T14:25:12+03:30 ERR get device URL error="decode GET /api/latest/fleet/device/64a0baf1-2409-4e2c-a98b-9f9ae1a8256d/desktop response: json: cannot unmarshal object into Go struct field fleetDesktopResponse.error of type error"when I entered
https://<FLEET_SERVER>/api/latest/fleet/device/64a0baf1-2409-4e2c-a98b-9f9ae1a8256d/desktoperror: {}l
Lucas Rodriguez
12/29/2022, 9:13 AMHi @Reza Kazemy! OK, can you double check Fleet's version?
curl https://<YOUR FLEET ADDRESS>/versionr
Reza Kazemy
12/29/2022, 10:03 AM@Lucas Rodriguez
I cannot thank you enough. Unfortunately, I had forgotten to change one of my ENV variables to complete the upgrade steps. Now I am running fleet on version v.4.22.1 as you said and everything is working on my local device.
Thank you so much.