Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
g
Graham Anderson
12/07/2022, 10:17 AMHi!
I just installed fleet server in a testing k8s cluster and on-boarded a couple of hosts using a generated .deb package for linux (orbit). The hosts report their basic details (disk, cpu, OS etc) just fine but additional info is not available and I see the following types of errors in the fleet server log:
level=error ts=2022-12-07T10:10:15.110183011Z query=fleet_detail_query_network_interface_unix message="distributed query is denylisted" hostID=1
...
level=error ts=2022-12-07T10:10:35.499363345Z component=http method=POST uri=/api/v1/osquery/distributed/write took=3.131795221s ip_addr=10.244.3.87 x_for_ip_addr=10.244.3.87 ingestion-err="ingesting query software_linux: update host software: get software: context canceled" ingestion-err="ingest detail query: selecting app config: context canceled" ingestion-err="ingest detail query: selecting app config: context canceled" ingestion-err="ingest detail query: selecting app config: context canceled" ingestion-err="ingest detail query: selecting app config: context canceled" ingestion-err="ingest detail query: selecting app config: context canceled" ingestion-err="ingest detail query: selecting app config: context canceled" ingestion-err="ingest detail query: selecting app config: context canceled" ingestion-err="ingest detail query: selecting app config: context canceled" ingestion-err="ingest detail query: selecting app config: context canceled" ingestion-err="ingest detail query: selecting app config: context canceled" ingestion-err="ingest detail query: selecting app config: context canceled" ingestion-err="ingest detail query: selecting app config: context canceled" ingestion-err="ingest detail query: selecting app config: context canceled" err="error in query ingestion || error in query ingestion || error in query ingestion || error in query ingestion || error in query ingestion || error in query ingestion || error in query ingestion || error in query ingestion || error in query ingestion || error in query ingestion || error in query ingestion || error in query ingestion || error in query ingestion || error in query ingestion || getting app config: selecting app config: context canceled"If the watchdog stops the daemon while a distributed query was running then such query will be denylisted from running for 24 hours.However the host config using query shell
.showNon-default flags/options:
database_path: /opt/orbit/shell/osquery.db
disable_events: true
disable_logging: true
disable_watchdog: trueorbit 1.4.0
fleet 4.24.0s
sharvil
12/07/2022, 10:30 AMhey @Graham Anderson, welcome! would you mind posting this in #fleet channel please? someone there might be able to help better, thanks!
g
Graham Anderson
12/07/2022, 10:32 AM👍