https://github.com/osquery/osquery logo
#fleet
Title
# fleet
m

Marina

01/23/2023, 4:01 PM
Hi, team! I have problem with Live Query in fleet. And i view some errors: Jan 20 152738 v-uib-lin-20 fleet[3733789]: {"component":"http","err":"read auth token: reading from websocket: sockjs: session not in open state","msg":"failed to read auth token","ts":"2023-01-20T122738.434424104Z"} an 20 152926 v-uib-lin-21 fleet[4025685]: {"component":"http","err":"error in query ingestion","ingestion-err":"campaign waiting for listener (please retry)","ip_addr":"my_ip:my_port","level":"error","method":"POST","took":"1.61690 Jan 20 152946 v-uib-lin-22 fleet[547314]: {"component":"http","err":"error in query ingestion","ingestion-err":"campaign stopped","ip_addr":"my_ip:my_port","level":"error","method":"POST","took":"7.431431ms","ts":"2023-01-20T12294 l Jan 18 234210 v-uib-lin-22 fleet[547314]: 2023/01/18 234210 http: TLS handshake error from my_ip:my_port tls: client offered only unsupported versions: [301] Jan 18 234219 v-uib-lin-22 fleet[547314]: 2023/01/18 234219 http: TLS handshake error from my_ip:my_port tls: first record does not look like a TLS handshake I checked, i have this settings in my nginx.conf file: proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; Can you help me to solve problem? Thanks!
k

Kathy Satterlee

01/23/2023, 6:20 PM
Hi @Marina! Do you have Fleet terminating TLS? If so, what is your setting for server-tls-compatibility?
m

Marina

01/23/2023, 7:43 PM
Hi @Kathy Satterlee! Thanks for reply! My nginx settings: cat /etc/nginx/nginx.conf http { log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 4096; include /etc/nginx/mime.types; default_type application/octet-stream; include /etc/nginx/conf.d/*.conf; upstream fleet { server ip_server1:8080; server ip_server2:8080; server ip_server3:8080; server ip_server4:8080; server ip_server5:8080; server ip_server6:8080; server ip_server7:8080; } server { listen 8080 ssl; server_name my_server_name; root /usr/share/nginx/html; ssl_certificate "/etc/fleet/certs/server.cert"; ssl_certificate_key "/etc/fleet/certs/server.key"; client_max_body_size 0; # Load configuration files for the default server block. include /etc/nginx/default.d/*.conf; location /api/v1/osquery/ { proxy_pass https://fleet; proxy_ssl_verify off; } #error_page 404 /404.html; location / { deny all; } } server { listen 8081 ssl; server_name my_server_name; root /usr/share/nginx/html; ssl_certificate "/etc/fleet/certs/server.cert"; ssl_certificate_key "/etc/fleet/certs/server.key"; client_max_body_size 0; # Load configuration files for the default server block. include /etc/nginx/default.d/*.conf; location / { proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_set_header Host $host; proxy_pass https://my_ip:8080; proxy_ssl_verify off; } #error_page 404 /404.html; } }
and fleet settings: cat /etc/fleet/fleet.conf mysql: address: ip:port database: db username: username password: pass redis: address: ip:port password: pass server: address: ip:port cert: /etc/fleet/certs/server.cert key: /etc/fleet/certs/server.key tlsprofile: intermidiate logging: json: true auth: jwt_key: key filesystem: result_log_file: /var/log/osquery_result.log status_log_file: /var/log/osquery_status.log enable_log_rotation: true ososquery: host_identifier: uuid
Hello, @Kathy Satterlee! I fixed problems with errors ssl, but i have this error. May be you know, how it fix? Jan 20 152738 v-uib-lin-20 fleet[3733789]: {"component":"http","err":"read auth token: reading from websocket: sockjs: session not in open state","msg":"failed to read auth token","ts":"2023-01-20T122738.434424104Z"}
2 Views