Hey < Kathy Satterlee> this is the error on my windows host osquery #fleet

Hey <@U02KY9FDA59> this is the error on my windows...

Ojas

02/21/2023, 1:22 PM

Hey @Kathy Satterlee this is the error on my windows host of fleet desktop which is showing offline even when fleet service is running on it.

Copy code

2023-02-21T18:42:39+05:30 INF Shutdown was requested!
2023-02-21T18:42:39+05:30 INF exit
2023-02-21T18:43:48+05:30 INF fleet-desktop version=1.3.1
2023-02-21T18:43:48+05:30 INF Comm channel was acquired
2023-02-21T18:43:48+05:30 INF ready
2023-02-21T18:43:48+05:30 DBG successfully refetched the token from disk
2023-02-21T18:43:49+05:30 INF Shutdown was requested!
2023-02-21T18:43:49+05:30 ERR get device URL error="GET /api/latest/fleet/device/************/desktop received status 429 limit exceeded, retry after: 0s: limit exceeded, retry after: 0s"
2023-02-21T18:43:49+05:30 INF exit\

Ojas

02/21/2023, 1:22 PM

and after this i keep getting

Copy code

2023-02-21T18:43:48+05:30 DBG successfully refetched the token from disk
2023-02-21T18:43:49+05:30 INF Shutdown was requested!

Copy code

2023-02-21T18:43:48+05:30 DBG successfully refetched the token from disk
2023-02-21T18:43:49+05:30 INF Shutdown was requested!

Copy code

2023-02-21T18:43:48+05:30 DBG successfully refetched the token from disk
2023-02-21T18:43:49+05:30 INF Shutdown was requested!

these

Lucas Rodriguez

02/21/2023, 2:01 PM

Hi! Seems Orbit is signalling Fleet Desktop to shut down. Could you check Orbit logs (

C:\Windows\system32\config\systemprofile\AppData\Local\FleetDM\Orbit\Logs\orbit-osquery.log

Ojas

02/22/2023, 7:37 AM

Copy code

(osqueryd)=3b673b843e49c24dfd77d62ca650b308e332a2922da1ab7610c8b8e3265c0cd51d7575f00dd329efadb1f887883041f83dbde769eaa7c0a11fed3b8394b115c7
2023-02-22T01:34:40+05:30 INF hash(desktop)=bdc45d4df0cfe9e378910931004c734ca2687eac7e4fe8e53c9e475a84f3ededf35414ab2585519827062249c51d042eec5cab8d2ba9a6b3a6c343b0440e7b7f
2023-02-22T01:34:40+05:30 INF early update check failed error="update metadata: update metadata: tuf: failed to download 3.root.json: Get \"<https://tuf.fleetctl.com/3.root.json>\": dial tcp: lookup <http://tuf.fleetctl.com|tuf.fleetctl.com>: no such host"
2023-02-22T01:34:40+05:30 INF initial flags update failed error="error getting flags from fleet: POST /api/fleet/orbit/config: Post \"<https://fleet.tpsec.co/api/fleet/orbit/config>\": dial tcp: lookup <http://fleet.tpsec.co|fleet.tpsec.co>: no such host"
2023-02-22T01:34:40+05:30 INF initial update to fetch extensions from /config API failed error="extensionsUpdate: error getting extensions config from fleet: POST /api/fleet/orbit/config: Post \"<https://fleet.tpsec.co/api/fleet/orbit/config>\": dial tcp: lookup <http://fleet.tpsec.co|fleet.tpsec.co>: no such host"
2023-02-22T01:34:40+05:30 INF initial extensions update action failed error="update metadata: update metadata: tuf: failed to download 3.root.json: Get \"<https://tuf.fleetctl.com/3.root.json>\": dial tcp: lookup <http://tuf.fleetctl.com|tuf.fleetctl.com>: no such host"
2023-02-22T01:34:40+05:30 INF killing any pre-existing fleet-desktop instances
2023-02-22T01:34:40+05:30 INF start osqueryd cmd="C:\\Program Files\\Orbit\\bin\\osqueryd\\windows\\stable\\osqueryd.exe --pidfile=C:\\Program Files\\Orbit\\osquery.pid --database_path=C:\\Program Files\\Orbit\\osquery.db --extensions_socket=\\\\.\\pipe\\orbit-osquery-extension --logger_path=C:\\Program Files\\Orbit\\osquery_log --enroll_secret_env ENROLL_SECRET --host_identifier=uuid --tls_hostname=<http://fleet.tpsec.co|fleet.tpsec.co> --enroll_tls_endpoint=/api/v1/osquery/enroll --config_plugin=tls --config_tls_endpoint=/api/v1/osquery/config --config_refresh=60 --disable_distributed=false --distributed_plugin=tls --distributed_tls_max_attempts=10 --distributed_tls_read_endpoint=/api/v1/osquery/distributed/read --distributed_tls_write_endpoint=/api/v1/osquery/distributed/write --logger_plugin=tls,filesystem --logger_tls_endpoint=/api/v1/osquery/log --disable_carver=false --carver_disable_function=false --carver_start_endpoint=/api/v1/osquery/carve/begin --carver_continue_endpoint=/api/v1/osquery/carve/block --carver_block_size=2000000 --tls_server_certs C:\\Program Files\\Orbit\\certs.pem --force --flagfile C:\\Program Files\\Orbit\\osquery.flags"
2023-02-22T01:34:40+05:30 ERR pinging the server error="HEAD /api/fleet/orbit/ping: Head \"<https://fleet.tpsec.co/api/fleet/orbit/ping>\": dial tcp: lookup <http://fleet.tpsec.co|fleet.tpsec.co>: no such host"
2023-02-22T01:34:40+05:30 INF opening path="C:\\Program Files\\Orbit\\bin\\desktop\\windows\\stable\\fleet-desktop.exe"
E0222 01:34:41.065012 10104 shutdown.cpp:79] [Ref #1382] osqueryd has unsafe permissions: C:\Program Files\Orbit\bin\osqueryd\windows\stable\osqueryd.exe
2023-02-22T12:01:21+05:30 ERR unexpected exit error="osqueryd exited with error: exit status 1"
2023-02-22T12:01:23+05:30 INF update metadata. using saved metadata error="update metadata: tuf: failed to download 3.root.json: Get \"<https://tuf.fleetctl.com/3.root.json>\": dial tcp: lookup <http://tuf.fleetctl.com|tuf.fleetctl.com>: no such host"
2023-02-22T12:01:23+05:30 INF hash(orbit)=74917f78a90e15871564c92f31d7b713ab6c407943f6c1a2e3c8b8f8040b295a2fda32793a912cdcebe51518f701af977a6f3f433ebfd63a77e08c316ff63fd3
2023-02-22T12:01:23+05:30 INF hash(osqueryd)=3b673b843e49c24dfd77d62ca650b308e332a2922da1ab7610c8b8e3265c0cd51d7575f00dd329efadb1f887883041f83dbde769eaa7c0a11fed3b8394b115c7
2023-02-22T12:01:23+05:30 INF hash(desktop)=bdc45d4df0cfe9e378910931004c734ca2687eac7e4fe8e53c9e475a84f3ededf35414ab2585519827062249c51d042eec5cab8d2ba9a6b3a6c343b0440e7b7f
2023-02-22T12:01:23+05:30 INF early update check failed error="update metadata: update metadata: tuf: failed to download 3.root.json: Get \"<https://tuf.fleetctl.com/3.root.json>\": dial tcp: lookup <http://tuf.fleetctl.com|tuf.fleetctl.com>: no such host"
2023-02-22T12:01:24+05:30 INF initial flags update failed error="error getting flags from fleet: POST /api/fleet/orbit/config: Post \"<https://fleet.tpsec.co/api/fleet/orbit/config>\": dial tcp: lookup <http://fleet.tpsec.co|fleet.tpsec.co>: no such host"
2023-02-22T12:01:24+05:30 INF initial update to fetch extensions from /config API failed error="extensionsUpdate: error getting extensions config from fleet: POST /api/fleet/orbit/config: Post \"<https://fleet.tpsec.co/api/fleet/orbit/config>\": dial tcp: lookup <http://fleet.tpsec.co|fleet.tpsec.co>: no such host"
2023-02-22T12:01:24+05:30 INF initial extensions update action failed error="update metadata: update metadata: tuf: failed to download 3.root.json: Get \"<https://tuf.fleetctl.com/3.root.json>\": dial tcp: lookup <http://tuf.fleetctl.com|tuf.fleetctl.com>: no such host"
2023-02-22T12:01:24+05:30 INF killing any pre-existing fleet-desktop instances
2023-02-22T12:01:24+05:30 INF start osqueryd cmd="C:\\Program Files\\Orbit\\bin\\osqueryd\\windows\\stable\\osqueryd.exe --pidfile=C:\\Program Files\\Orbit\\osquery.pid --database_path=C:\\Program Files\\Orbit\\osquery.db --extensions_socket=\\\\.\\pipe\\orbit-osquery-extension --logger_path=C:\\Program Files\\Orbit\\osquery_log --enroll_secret_env ENROLL_SECRET --host_identifier=uuid --tls_hostname=<http://fleet.tpsec.co|fleet.tpsec.co> --enroll_tls_endpoint=/api/v1/osquery/enroll --config_plugin=tls --config_tls_endpoint=/api/v1/osquery/config --config_refresh=60 --disable_distributed=false --distributed_plugin=tls --distributed_tls_max_attempts=10 --distributed_tls_read_endpoint=/api/v1/osquery/distributed/read --distributed_tls_write_endpoint=/api/v1/osquery/distributed/write --logger_plugin=tls,filesystem --logger_tls_endpoint=/api/v1/osquery/log --disable_carver=false --carver_disable_function=false --carver_start_endpoint=/api/v1/osquery/carve/begin --carver_continue_endpoint=/api/v1/osquery/carve/block --carver_block_size=2000000 --tls_server_certs C:\\Program Files\\Orbit\\certs.pem --force --flagfile C:\\Program Files\\Orbit\\osquery.flags"
2023-02-22T12:01:24+05:30 INF opening path="C:\\Program Files\\Orbit\\bin\\desktop\\windows\\stable\\fleet-desktop.exe"
2023-02-22T12:01:24+05:30 ERR pinging the server error="HEAD /api/fleet/orbit/ping: Head \"<https://fleet.tpsec.co/api/fleet/orbit/ping>\": dial tcp: lookup <http://fleet.tpsec.co|fleet.tpsec.co>: no such host"
E0222 12:01:24.280769  1996 shutdown.cpp:79] [Ref #1382] osqueryd has unsafe permissions: C:\Program Files\Orbit\bin\osqueryd\windows\stable\osqueryd.exe
2023-02-22T12:02:24+05:30 ERR unexpected exit error="osqueryd exited with error: exit status 1"
2023-02-22T12:02:26+05:30 INF hash(orbit)=74917f78a90e15871564c92f31d7b713ab6c407943f6c1a2e3c8b8f8040b295a2fda32793a912cdcebe51518f701af977a6f3f433ebfd63a77e08c316ff63fd3
2023-02-22T12:02:26+05:30 INF hash(osqueryd)=3b673b843e49c24dfd77d62ca650b308e332a2922da1ab7610c8b8e3265c0cd51d7575f00dd329efadb1f887883041f83dbde769eaa7c0a11fed3b8394b115c7
2023-02-22T12:02:26+05:30 INF hash(desktop)=bdc45d4df0cfe9e378910931004c734ca2687eac7e4fe8e53c9e475a84f3ededf35414ab2585519827062249c51d042eec5cab8d2ba9a6b3a6c343b0440e7b7f
2023-02-22T12:02:27+05:30 INF update detected target=orbit
2023-02-22T12:02:27+05:30 INF early update check failed error="update orbit: get binary: download \"orbit/windows/stable/orbit.exe\": download target orbit/windows/stable/orbit.exe: Get \"<https://tuf.fleetctl.com/targets/orbit/windows/stable/orbit.exe>\": read tcp 10.10.1.249:56066->138.199.46.75:443: wsarecv: An existing connection was forcibly closed by the remote host."
2023-02-22T12:02:32+05:30 INF update detected target=orbit

Ojas

02/22/2023, 7:37 AM

hey @Lucas Rodriguez This is a part of the log from the path/file you mentioned.

Ojas

02/22/2023, 7:39 AM

Copy code

ERR pinging the server error="HEAD /api/fleet/orbit/ping: Head \"<https://fleet.tpsec.co/api/fleet/orbit/ping>\": dial tcp: lookup <http://fleet.tpsec.co|fleet.tpsec.co>: no such host"

this i am able to access by url but ping doesnt work no idea what’s this: osqueryd has unsafe permissions: C:\Program Files\Orbit\bin\osqueryd\windows\stable\osqueryd.exe

Lucas Rodriguez

02/22/2023, 11:41 AM

no idea what’s this: osqueryd has unsafe permissions: C:\Program Files\Orbit\bin\osqueryd\windows\stable\osqueryd.exe

This is definitely the issue. Was this running and stopped working all of a sudden? Or was there any recent change that might have caused this?.

Ojas

02/22/2023, 12:34 PM

we just pushed fleet desktop to all and i guess thats when this started, earlier it was fine with older agent

Ojas

02/22/2023, 12:36 PM

nothing else changed the permissions and everything is same

Ojas

02/22/2023, 12:36 PM

also same agent is working fine on another windows host but this one has issues (like many others)

Ojas

02/22/2023, 12:47 PM

but how could it run for few any error on others when they all have same policies and permissions 😐

Lucas Rodriguez

02/22/2023, 2:58 PM

OK.

we just pushed fleet desktop to all and i guess thats when this started, earlier it was fine with older agent

How was Fleet Desktop pushed?

Ojas

02/23/2023, 5:06 AM

via tool for company policies and software installation. Same used for older agents as well.

Kathy Satterlee

02/23/2023, 5:17 AM

How did you install

fleetctl

on the machine where your installer was generated (npm, or downloaded the binary)? If

npm

, did you create the package with

sudo

Ojas

02/23/2023, 5:20 AM

i think i got it by npm and it was not with sudo because my earlier package was without sudo as well

8 Views

Open in Slack

Previous Next