Hi all, does anyone have any idea how to track down what’s causing a “ghost” device to show up in our hosts? Even if it’s deleted, it seems to come back periodically. There’s no info associated with it that I can find, and nothing obvious in the Fleet logs. Thanks for any tips anyone can provide.

Hi @brian! Are you using Fleet generated packages or plain osquery to enroll your hosts?

we’re using Fleet-generated packages.

Are you specifying a host identifier in your agent options? It sounds like this may be related to https://github.com/fleetdm/fleet/issues/9033

hmm. we’re not doing anything to specify a host identifier.

What about in the Fleet configuration? https://fleetdm.com/docs/deploying/configuration#osquery-host-identifier

nope, nothing there either for host identifier.

Do you have access to the Fleet database? I'd like to see if anything comes back from this query:

SELECT * FROM hosts WHERE orbit_node_key = NULL;

I could probably set that up tomorrow (Fleet is running on ECS so I’d have to launch a temporary EC2 instance to get to the RDS instance where the database is hosted).

Sounds good. I'm betting that it's a similar situation and there's a host that didn't quite enroll properly and Orbit keeps trying to re-enroll. If we can track down what host that is, next step will be to check out the Orbit logs on the host to verify/get additional information on what's happening. Then likely remove both the fragment and the real host and see what happens.

👍 thanks for the help! I’ll let you know what I find tomorrow.

Absolutely. Sorry for slow response today! Are you able to share the Orbit logs for that host? I'd also like to see what happens if you uninstall Orbit on the host, remove both the artifact and the host from Fleet, and then re-enroll it using a package created with the

--debug

flag for more verbose logging.

these are some of the debug lines we’re seeing:

Feb  2 16:04:41 localhost orbit[58456]: 2023-02-02T16:04:41-05:00 DBG no update target=orbit
Feb  2 16:04:41 localhost orbit[58456]: 2023-02-02T16:04:41-05:00 DBG no update target=osqueryd
Feb  2 16:04:42 localhost orbit[58456]: 2023-02-02T16:04:42-05:00 DBG found expected target locally path=/opt/orbit/bin/osqueryd/linux/stable/osqueryd target=osqueryd
Feb  2 16:04:42 localhost orbit[58456]: 2023-02-02T16:04:42-05:00 DBG running single query (SELECT uuid FROM system_info)
Feb  2 16:04:42 localhost orbit[58456]: 2023-02-02T16:04:42-05:00 DBG UUID is 6e2c24c6-f205-4b39-8bf3-28fc825c2156
Feb  2 16:04:42 localhost orbit[58456]: 2023-02-02T16:04:42-05:00 INF initial flags update failed error="error getting flags from fleet: unauthenticated, or invalid token"
Feb  2 16:04:42 localhost orbit[58456]: 2023-02-02T16:04:42-05:00 DBG /opt/orbit/extensions.load not found, nothing to update
Feb  2 16:04:43 localhost orbit[58456]: 2023-02-02T16:04:43-05:00 DBG no update target=orbit
Feb  2 16:04:43 localhost orbit[58456]: 2023-02-02T16:04:43-05:00 DBG no update target=osqueryd
Feb  2 16:04:43 localhost orbit[58456]: 2023-02-02T16:04:43-05:00 INF token rotation is enabled
Feb  2 16:04:43 localhost orbit[58456]: 2023-02-02T16:04:43-05:00 DBG starting flag updater
Feb  2 16:04:43 localhost orbit[58456]: 2023-02-02T16:04:43-05:00 DBG starting extension runner
Feb  2 16:04:43 localhost orbit[58456]: 2023-02-02T16:04:43-05:00 DBG start updater
Feb  2 16:04:43 localhost orbit[58456]: 2023-02-02T16:04:43-05:00 DBG start osquery extension

This issue is also showing up in our environment, and running the same set of SQL queries shows similar results.

Thanks for all of the information. Can you both verify your Fleet version for me?

Fleet 4.26.0 for us. and osquery 5.7.0 it looks like. GitHub username is

briandefiant

.

fleet 4.26.0 , osquery 5.7.0

Hi folks! If any of you have access to the hosts that are having this issue, please take a look at https://github.com/fleetdm/fleet/issues/9132#issuecomment-1418943150.