Graham Anderson
12/07/2022, 10:17 AMlevel=error ts=2022-12-07T10:10:15.110183011Z query=fleet_detail_query_network_interface_unix message="distributed query is denylisted" hostID=1
...
level=error ts=2022-12-07T10:10:35.499363345Z component=http method=POST uri=/api/v1/osquery/distributed/write took=3.131795221s ip_addr=10.244.3.87 x_for_ip_addr=10.244.3.87 ingestion-err="ingesting query software_linux: update host software: get software: context canceled" ingestion-err="ingest detail query: selecting app config: context canceled" ingestion-err="ingest detail query: selecting app config: context canceled" ingestion-err="ingest detail query: selecting app config: context canceled" ingestion-err="ingest detail query: selecting app config: context canceled" ingestion-err="ingest detail query: selecting app config: context canceled" ingestion-err="ingest detail query: selecting app config: context canceled" ingestion-err="ingest detail query: selecting app config: context canceled" ingestion-err="ingest detail query: selecting app config: context canceled" ingestion-err="ingest detail query: selecting app config: context canceled" ingestion-err="ingest detail query: selecting app config: context canceled" ingestion-err="ingest detail query: selecting app config: context canceled" ingestion-err="ingest detail query: selecting app config: context canceled" ingestion-err="ingest detail query: selecting app config: context canceled" err="error in query ingestion || error in query ingestion || error in query ingestion || error in query ingestion || error in query ingestion || error in query ingestion || error in query ingestion || error in query ingestion || error in query ingestion || error in query ingestion || error in query ingestion || error in query ingestion || error in query ingestion || error in query ingestion || getting app config: selecting app config: context canceled"
For the first type of error, in osquery docs it states:
If the watchdog stops the daemon while a distributed query was running then such query will be denylisted from running for 24 hours.However the host config using query shell
.show
offers the following:
Non-default flags/options:
database_path: /opt/orbit/shell/osquery.db
disable_events: true
disable_logging: true
disable_watchdog: true
So how can I prevent the NIC distributed query from being "denylisted"?
For the second error, I really don't know where to start for help resolving software packages being available for the hosts in fleet server 🤷orbit 1.4.0
fleet 4.24.0
sharvil
12/07/2022, 10:30 AMGraham Anderson
12/07/2022, 10:32 AM