Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
b
brian
01/31/2023, 9:10 PMHi all, does anyone have any idea how to track down what’s causing a “ghost” device to show up in our hosts? Even if it’s deleted, it seems to come back periodically. There’s no info associated with it that I can find, and nothing obvious in the Fleet logs. Thanks for any tips anyone can provide.
k
Kathy Satterlee
01/31/2023, 9:45 PMHi @brian! Are you using Fleet generated packages or plain osquery to enroll your hosts?
b
brian
01/31/2023, 9:45 PMwe’re using Fleet-generated packages.
k
Kathy Satterlee
01/31/2023, 9:48 PMAre you specifying a host identifier in your agent options? It sounds like this may be related to https://github.com/fleetdm/fleet/issues/9033
b
brian
01/31/2023, 9:50 PMhmm. we’re not doing anything to specify a host identifier.
k
Kathy Satterlee
01/31/2023, 9:51 PMWhat about in the Fleet configuration? https://fleetdm.com/docs/deploying/configuration#osquery-host-identifier
b
brian
01/31/2023, 9:56 PMnope, nothing there either for host identifier.
k
Kathy Satterlee
01/31/2023, 10:05 PMDo you have access to the Fleet database? I'd like to see if anything comes back from this query:
SELECT * FROM hosts WHERE orbit_node_key = NULL;b
brian
01/31/2023, 10:07 PMI could probably set that up tomorrow (Fleet is running on ECS so I’d have to launch a temporary EC2 instance to get to the RDS instance where the database is hosted).
k
Kathy Satterlee
01/31/2023, 10:10 PMSounds good. I'm betting that it's a similar situation and there's a host that didn't quite enroll properly and Orbit keeps trying to re-enroll. If we can track down what host that is, next step will be to check out the Orbit logs on the host to verify/get additional information on what's happening. Then likely remove both the fragment and the real host and see what happens.
b
brian
01/31/2023, 10:17 PM👍 thanks for the help! I’ll let you know what I find tomorrow.
I think I found the troublesome host, it looks like it has two entries in the hosts table, one of them with a null orbit_node_key:
| 56 | 51b2b9d6-e102-49c3-9fd7-2f8cac64fb3d | 2023-01-30 19:33:49 | JJFxbCFU93oRY94xyzhz2l11WkIZ1tUI | localhost | 51b2b9d6-e102-49c3-9fd7-2f8cac64fb3d | 2023-01-30 19:33:49 | NULL |
| 94 | 6c76c81a-cb0d-4288-8201-06bc558dda5a | 2023-02-01 16:00:56 | IYKQaZsExKnuFXNv0rdBSUgEKyfktEi6 | | | 1970-01-02 00:00:00 | IYKQaZsExKnuFXNv0rdBSUgEKyfktEi6 |maybe easier to read…
| hostname | uuid | last_enrolled_at | orbit_node_key |
+--------------------------+--------------------------------------+---------------------+----------------------------------+
| localhost | 51b2b9d6-e102-49c3-9fd7-2f8cac64fb3d | 2023-01-30 19:33:49 | NULL |
| | | 1970-01-02 00:00:00 | IYKQaZsExKnuFXNv0rdBSUgEKyfktEi6 |so doing some poking around, it looks like this is probably related to https://github.com/fleetdm/fleet/issues/9132, since I’m also seeing empty
orbit_node_keyorbit_node_keynode_keyk
Kathy Satterlee
02/02/2023, 8:41 PMAbsolutely. Sorry for slow response today! Are you able to share the Orbit logs for that host?
I'd also like to see what happens if you uninstall Orbit on the host, remove both the artifact and the host from Fleet, and then re-enroll it using a package created with the
--debugb
brian
02/02/2023, 9:15 PMthese are some of the debug lines we’re seeing:
Feb 2 16:04:41 localhost orbit[58456]: 2023-02-02T16:04:41-05:00 DBG no update target=orbit
Feb 2 16:04:41 localhost orbit[58456]: 2023-02-02T16:04:41-05:00 DBG no update target=osqueryd
Feb 2 16:04:42 localhost orbit[58456]: 2023-02-02T16:04:42-05:00 DBG found expected target locally path=/opt/orbit/bin/osqueryd/linux/stable/osqueryd target=osqueryd
Feb 2 16:04:42 localhost orbit[58456]: 2023-02-02T16:04:42-05:00 DBG running single query (SELECT uuid FROM system_info)
Feb 2 16:04:42 localhost orbit[58456]: 2023-02-02T16:04:42-05:00 DBG UUID is 6e2c24c6-f205-4b39-8bf3-28fc825c2156
Feb 2 16:04:42 localhost orbit[58456]: 2023-02-02T16:04:42-05:00 INF initial flags update failed error="error getting flags from fleet: unauthenticated, or invalid token"
Feb 2 16:04:42 localhost orbit[58456]: 2023-02-02T16:04:42-05:00 DBG /opt/orbit/extensions.load not found, nothing to update
Feb 2 16:04:43 localhost orbit[58456]: 2023-02-02T16:04:43-05:00 DBG no update target=orbit
Feb 2 16:04:43 localhost orbit[58456]: 2023-02-02T16:04:43-05:00 DBG no update target=osqueryd
Feb 2 16:04:43 localhost orbit[58456]: 2023-02-02T16:04:43-05:00 INF token rotation is enabled
Feb 2 16:04:43 localhost orbit[58456]: 2023-02-02T16:04:43-05:00 DBG starting flag updater
Feb 2 16:04:43 localhost orbit[58456]: 2023-02-02T16:04:43-05:00 DBG starting extension runner
Feb 2 16:04:43 localhost orbit[58456]: 2023-02-02T16:04:43-05:00 DBG start updater
Feb 2 16:04:43 localhost orbit[58456]: 2023-02-02T16:04:43-05:00 DBG start osquery extensionthat UUID
6e2c24c6-f205-4b39-8bf3-28fc825c2156osquery_host_id(that’s after uninstalling, and then reinstalling)
this is from the person whose laptop is getting registered twice:
So it appears that every time orbit is restarted this UUID is regenerated
Feb 2 17:25:23 localhost orbit[74253]: 2023-02-02T17:25:23-05:00 DBG running single query (SELECT uuid FROM system_info)
Feb 2 17:25:23 localhost orbit[74253]: 2023-02-02T17:25:23-05:00 DBG UUID is 818ec869-0fc6-4522-8aa7-216e0f16f2b5r
Ryan W.
02/03/2023, 7:46 PMThis issue is also showing up in our environment, and running the same set of SQL queries shows similar results.
I should mention, we get this for about a dozen devices in an environment of maybe 75 total.
k
Kathy Satterlee
02/03/2023, 7:56 PMThanks for all of the information. Can you both verify your Fleet version for me?
If you are also on GitHub and can share your username (feel free to DM), I'd like to tag you in the issue as well.
You can also follow here:
https://github.com/fleetdm/fleet/issues/9132
b
brian
02/03/2023, 8:03 PMFleet 4.26.0 for us. and osquery 5.7.0 it looks like. GitHub username is
briandefiantr
Ryan W.
02/03/2023, 8:34 PMfleet 4.26.0 , osquery 5.7.0
github username is weetabix
I can further report this did not happen in our first, hasty test instance, which used some of the same machines. There isnt a decent enough overlap between the two groups though, for me to suspect a left over config or something, since it couldnt exist on at least a third of the suspect machine4s.
l
Lucas Rodriguez
02/06/2023, 12:12 PMHi folks!
If any of you have access to the hosts that are having this issue, please take a look at https://github.com/fleetdm/fleet/issues/9132#issuecomment-1418943150.