Channels
#fleet
Title
# fleet
s
Shend Saliaga
01/17/2023, 9:04 PMHi! I keep hitting the following error:
Copy code
"level=error ts=2023-01-17T20:52:34.232573858Z component=http method=POST uri=/api/v1/osquery/distributed/write took=419.259117ms ip_addr=74.122.186.196 x_for_ip_addr="74.122.186.196, 35.201.103.38" ingestion-err="ingesting query users: update host users: insert users: Error 1390: Prepared statement contains too many placeholders" err="error in query ingestion"
"fleetdm/fleet:v4.25.0z
zwass
01/17/2023, 11:22 PM
Have you double-checked you ran all the DB migrations.
s
Shend Saliaga
01/18/2023, 2:05 AMJust doubled checked and ran the migrations again
Copy code
~/Development/infosec-fleet-kubernetes master kubectl logs job.batch/fleet-prepare-db -c fleet -n fleet
Migrations already completed. Nothing to do.Following up on this issue, as this might be red herring. The real problem im having is that after upgrading osquery from 5.2.2 to 5.7 our pubsub topic stopped receiving logs. However all the agents were online and queryable through the UI after the update to 5.7. Reverting to 5.2.2 did not fix the issue either
k
Kathy Satterlee
01/18/2023, 8:32 PMCan you verify the logging configuration on your agents by running the following query through Fleet:
Copy code
SELECT name, value FROM osquery_flags WHERE name = "logger_plugin" ;s
Shend Saliaga
01/18/2023, 8:38 PMimage.png
should this be tls?
Looks like it is reverting for filesystem for all of our linux hosts
Thanks! Ill read into this
Looks like we are using
config_plugin Copy code
--logger_stderr=false
--logger_min_status=1
--enroll_tls_endpoint=/api/v1/osquery/enroll
--config_plugin=tls
--config_tls_endpoint=/api/v1/osquery/config
--config_refresh=1800
--watchdog_level=0
--watchdog_memory_limit=1024
--watchdog_delay=3600Looks like it has changed to
--logger_plugin=nameWhere can I find deprecations like this? I cant seem to find it in the release notes?
k
Kathy Satterlee
01/18/2023, 8:57 PMYou'll need to set that in your osquery flags. I don't believe that the flag itself has changed, but osquery itself has gotten a bit stricter about how and where command line flags can be set. It sounds like you may have previously set that in your Fleet agent options. is that right?
s
Shend Saliaga
01/18/2023, 8:58 PMCorrect, I did notice that last night when pulling down my config
Copy code
~/Development/infosec-fleet-kubernetes/staging master * sudo fleetctl apply -f fleet_org.yml
Warning: Version mismatch.
Client Version: 4.24.0
Server Version: 4.25.0
Error: applying fleet config: PATCH /api/latest/fleet/config received status 400 Bad Request: unsupported key provided: "logger_mode"
~/Development/infosec-fleet-kubernetes/staging master * sudo fleetctl apply -f fleet_org.yml
Warning: Version mismatch.
Client Version: 4.24.0
Server Version: 4.25.0
Error: applying fleet config: PATCH /api/latest/fleet/config received status 400 Bad Request: unsupported key provided: "logger_mode"
~/Development/infosec-fleet-kubernetes/staging master * V
~/Development/infosec-fleet-kubernetes/staging master * vi fleet_org.yml
~/Development/infosec-fleet-kubernetes/staging master * sudo fleetctl apply -f fleet_org.yml
Warning: Version mismatch.
Client Version: 4.24.0
Server Version: 4.25.0
Error: applying fleet config: PATCH /api/latest/fleet/config received status 400 Bad Request: unsupported key provided: "logger_plugin"
~/Development/infosec-fleet-kubernetes/staging master * vi fleet_org.yml
~/Development/infosec-fleet-kubernetes/staging master * sudo fleetctl apply -f fleet_org.yml
Warning: Version mismatch.
Client Version: 4.24.0
Server Version: 4.25.0
Error: applying fleet config: PATCH /api/latest/fleet/config received status 400 Bad Request: unsupported key provided: "utc"Had to delete these keys
logger_modelogger_pluginutck
Kathy Satterlee
01/18/2023, 8:59 PMHere's the full flag list just to be safe:
https://fleetdm.com/docs/using-fleet/adding-hosts#configure-and-launch-osquery
s
Shend Saliaga
01/18/2023, 8:59 PMThanks Ill definitely review
17 Views