Hello folks! I’m constantly receiving the message

flags updates failed error="error getting flags from fleet: enroll endpoint does not exist"

, and I think this is the culprit of most of my hosts not being able to generate logs from the

process_events

and

socket_events

tables, even tho the

file_events

work Fleet version:

4.26.0

, but had the same problem on

4.22.1

Orbit version:

1.5.0

(Also, is there anything on your side that is pending? I’m getting the error below when trying to generate an orbit package from fleetctl after upgrading to 4.26.0:

Error: initialize updates: failed to update metadata: update metadata: tuf: failed to decode timestamp.json: unexpected end of JSON input

)

Can you please try the

fleetctl package

again? There was an issue with the CDN provider we use for the updates repository that they say has just been resolved.

Hey Zach, generating the package now works flawlessly, thank you!

Great! Your other issue looks unrelated to the error message you are seeing. Maybe you are missing some configuration? See https://osquery.readthedocs.io/en/latest/deployment/process-auditing/ for that.

Alright, will check that page carefully Thanks again Zach! Will update here if I get news about this tshoot 😃

That error might be because your agents don't have access to

/api/orbit/enroll

. Maybe you need to configure a load balancer or firewall to allow that? Doing so allows you to use some of the newer features like managing osquery startup flags from the Fleet server.

Oh, that makes sense I thought the endpoint in question was

/api/osquery/enroll

, which was allowed previously, and since I could setup File Integrity Monitoring directly through the web UI, I though I had all in place to make these “hot” changes, but that makes sense I didn’t see a few flags I’ve tried on the UI while troubleshooting the event tables, probably because of this endpoint Will enable this in the deploy window tomorrow and keep the tests, but I’m pretty confident it is the one Again, thank you very much sir! 🫡

Yeah, note that osquery has startup flags (which couldn't be remotely configured but now can be with the Fleet packages and then configurations which have always been configurable remotely (like the FIM configs).