https://github.com/osquery/osquery logo
#fleet
Title
# fleet
o

Ojas

02/21/2023, 1:22 PM
Hey @Kathy Satterlee this is the error on my windows host of fleet desktop which is showing offline even when fleet service is running on it.
Copy code
2023-02-21T18:42:39+05:30 INF Shutdown was requested!
2023-02-21T18:42:39+05:30 INF exit
2023-02-21T18:43:48+05:30 INF fleet-desktop version=1.3.1
2023-02-21T18:43:48+05:30 INF Comm channel was acquired
2023-02-21T18:43:48+05:30 INF ready
2023-02-21T18:43:48+05:30 DBG successfully refetched the token from disk
2023-02-21T18:43:49+05:30 INF Shutdown was requested!
2023-02-21T18:43:49+05:30 ERR get device URL error="GET /api/latest/fleet/device/************/desktop received status 429 limit exceeded, retry after: 0s: limit exceeded, retry after: 0s"
2023-02-21T18:43:49+05:30 INF exit\
and after this i keep getting
Copy code
2023-02-21T18:43:48+05:30 DBG successfully refetched the token from disk
2023-02-21T18:43:49+05:30 INF Shutdown was requested!
Copy code
2023-02-21T18:43:48+05:30 DBG successfully refetched the token from disk
2023-02-21T18:43:49+05:30 INF Shutdown was requested!
Copy code
2023-02-21T18:43:48+05:30 DBG successfully refetched the token from disk
2023-02-21T18:43:49+05:30 INF Shutdown was requested!
these
l

Lucas Rodriguez

02/21/2023, 2:01 PM
Hi! Seems Orbit is signalling Fleet Desktop to shut down. Could you check Orbit logs (
C:\Windows\system32\config\systemprofile\AppData\Local\FleetDM\Orbit\Logs\orbit-osquery.log
)?
o

Ojas

02/22/2023, 7:37 AM
Copy code
(osqueryd)=3b673b843e49c24dfd77d62ca650b308e332a2922da1ab7610c8b8e3265c0cd51d7575f00dd329efadb1f887883041f83dbde769eaa7c0a11fed3b8394b115c7
2023-02-22T01:34:40+05:30 INF hash(desktop)=bdc45d4df0cfe9e378910931004c734ca2687eac7e4fe8e53c9e475a84f3ededf35414ab2585519827062249c51d042eec5cab8d2ba9a6b3a6c343b0440e7b7f
2023-02-22T01:34:40+05:30 INF early update check failed error="update metadata: update metadata: tuf: failed to download 3.root.json: Get \"<https://tuf.fleetctl.com/3.root.json>\": dial tcp: lookup <http://tuf.fleetctl.com|tuf.fleetctl.com>: no such host"
2023-02-22T01:34:40+05:30 INF initial flags update failed error="error getting flags from fleet: POST /api/fleet/orbit/config: Post \"<https://fleet.tpsec.co/api/fleet/orbit/config>\": dial tcp: lookup <http://fleet.tpsec.co|fleet.tpsec.co>: no such host"
2023-02-22T01:34:40+05:30 INF initial update to fetch extensions from /config API failed error="extensionsUpdate: error getting extensions config from fleet: POST /api/fleet/orbit/config: Post \"<https://fleet.tpsec.co/api/fleet/orbit/config>\": dial tcp: lookup <http://fleet.tpsec.co|fleet.tpsec.co>: no such host"
2023-02-22T01:34:40+05:30 INF initial extensions update action failed error="update metadata: update metadata: tuf: failed to download 3.root.json: Get \"<https://tuf.fleetctl.com/3.root.json>\": dial tcp: lookup <http://tuf.fleetctl.com|tuf.fleetctl.com>: no such host"
2023-02-22T01:34:40+05:30 INF killing any pre-existing fleet-desktop instances
2023-02-22T01:34:40+05:30 INF start osqueryd cmd="C:\\Program Files\\Orbit\\bin\\osqueryd\\windows\\stable\\osqueryd.exe --pidfile=C:\\Program Files\\Orbit\\osquery.pid --database_path=C:\\Program Files\\Orbit\\osquery.db --extensions_socket=\\\\.\\pipe\\orbit-osquery-extension --logger_path=C:\\Program Files\\Orbit\\osquery_log --enroll_secret_env ENROLL_SECRET --host_identifier=uuid --tls_hostname=<http://fleet.tpsec.co|fleet.tpsec.co> --enroll_tls_endpoint=/api/v1/osquery/enroll --config_plugin=tls --config_tls_endpoint=/api/v1/osquery/config --config_refresh=60 --disable_distributed=false --distributed_plugin=tls --distributed_tls_max_attempts=10 --distributed_tls_read_endpoint=/api/v1/osquery/distributed/read --distributed_tls_write_endpoint=/api/v1/osquery/distributed/write --logger_plugin=tls,filesystem --logger_tls_endpoint=/api/v1/osquery/log --disable_carver=false --carver_disable_function=false --carver_start_endpoint=/api/v1/osquery/carve/begin --carver_continue_endpoint=/api/v1/osquery/carve/block --carver_block_size=2000000 --tls_server_certs C:\\Program Files\\Orbit\\certs.pem --force --flagfile C:\\Program Files\\Orbit\\osquery.flags"
2023-02-22T01:34:40+05:30 ERR pinging the server error="HEAD /api/fleet/orbit/ping: Head \"<https://fleet.tpsec.co/api/fleet/orbit/ping>\": dial tcp: lookup <http://fleet.tpsec.co|fleet.tpsec.co>: no such host"
2023-02-22T01:34:40+05:30 INF opening path="C:\\Program Files\\Orbit\\bin\\desktop\\windows\\stable\\fleet-desktop.exe"
E0222 01:34:41.065012 10104 shutdown.cpp:79] [Ref #1382] osqueryd has unsafe permissions: C:\Program Files\Orbit\bin\osqueryd\windows\stable\osqueryd.exe
2023-02-22T12:01:21+05:30 ERR unexpected exit error="osqueryd exited with error: exit status 1"
2023-02-22T12:01:23+05:30 INF update metadata. using saved metadata error="update metadata: tuf: failed to download 3.root.json: Get \"<https://tuf.fleetctl.com/3.root.json>\": dial tcp: lookup <http://tuf.fleetctl.com|tuf.fleetctl.com>: no such host"
2023-02-22T12:01:23+05:30 INF hash(orbit)=74917f78a90e15871564c92f31d7b713ab6c407943f6c1a2e3c8b8f8040b295a2fda32793a912cdcebe51518f701af977a6f3f433ebfd63a77e08c316ff63fd3
2023-02-22T12:01:23+05:30 INF hash(osqueryd)=3b673b843e49c24dfd77d62ca650b308e332a2922da1ab7610c8b8e3265c0cd51d7575f00dd329efadb1f887883041f83dbde769eaa7c0a11fed3b8394b115c7
2023-02-22T12:01:23+05:30 INF hash(desktop)=bdc45d4df0cfe9e378910931004c734ca2687eac7e4fe8e53c9e475a84f3ededf35414ab2585519827062249c51d042eec5cab8d2ba9a6b3a6c343b0440e7b7f
2023-02-22T12:01:23+05:30 INF early update check failed error="update metadata: update metadata: tuf: failed to download 3.root.json: Get \"<https://tuf.fleetctl.com/3.root.json>\": dial tcp: lookup <http://tuf.fleetctl.com|tuf.fleetctl.com>: no such host"
2023-02-22T12:01:24+05:30 INF initial flags update failed error="error getting flags from fleet: POST /api/fleet/orbit/config: Post \"<https://fleet.tpsec.co/api/fleet/orbit/config>\": dial tcp: lookup <http://fleet.tpsec.co|fleet.tpsec.co>: no such host"
2023-02-22T12:01:24+05:30 INF initial update to fetch extensions from /config API failed error="extensionsUpdate: error getting extensions config from fleet: POST /api/fleet/orbit/config: Post \"<https://fleet.tpsec.co/api/fleet/orbit/config>\": dial tcp: lookup <http://fleet.tpsec.co|fleet.tpsec.co>: no such host"
2023-02-22T12:01:24+05:30 INF initial extensions update action failed error="update metadata: update metadata: tuf: failed to download 3.root.json: Get \"<https://tuf.fleetctl.com/3.root.json>\": dial tcp: lookup <http://tuf.fleetctl.com|tuf.fleetctl.com>: no such host"
2023-02-22T12:01:24+05:30 INF killing any pre-existing fleet-desktop instances
2023-02-22T12:01:24+05:30 INF start osqueryd cmd="C:\\Program Files\\Orbit\\bin\\osqueryd\\windows\\stable\\osqueryd.exe --pidfile=C:\\Program Files\\Orbit\\osquery.pid --database_path=C:\\Program Files\\Orbit\\osquery.db --extensions_socket=\\\\.\\pipe\\orbit-osquery-extension --logger_path=C:\\Program Files\\Orbit\\osquery_log --enroll_secret_env ENROLL_SECRET --host_identifier=uuid --tls_hostname=<http://fleet.tpsec.co|fleet.tpsec.co> --enroll_tls_endpoint=/api/v1/osquery/enroll --config_plugin=tls --config_tls_endpoint=/api/v1/osquery/config --config_refresh=60 --disable_distributed=false --distributed_plugin=tls --distributed_tls_max_attempts=10 --distributed_tls_read_endpoint=/api/v1/osquery/distributed/read --distributed_tls_write_endpoint=/api/v1/osquery/distributed/write --logger_plugin=tls,filesystem --logger_tls_endpoint=/api/v1/osquery/log --disable_carver=false --carver_disable_function=false --carver_start_endpoint=/api/v1/osquery/carve/begin --carver_continue_endpoint=/api/v1/osquery/carve/block --carver_block_size=2000000 --tls_server_certs C:\\Program Files\\Orbit\\certs.pem --force --flagfile C:\\Program Files\\Orbit\\osquery.flags"
2023-02-22T12:01:24+05:30 INF opening path="C:\\Program Files\\Orbit\\bin\\desktop\\windows\\stable\\fleet-desktop.exe"
2023-02-22T12:01:24+05:30 ERR pinging the server error="HEAD /api/fleet/orbit/ping: Head \"<https://fleet.tpsec.co/api/fleet/orbit/ping>\": dial tcp: lookup <http://fleet.tpsec.co|fleet.tpsec.co>: no such host"
E0222 12:01:24.280769  1996 shutdown.cpp:79] [Ref #1382] osqueryd has unsafe permissions: C:\Program Files\Orbit\bin\osqueryd\windows\stable\osqueryd.exe
2023-02-22T12:02:24+05:30 ERR unexpected exit error="osqueryd exited with error: exit status 1"
2023-02-22T12:02:26+05:30 INF hash(orbit)=74917f78a90e15871564c92f31d7b713ab6c407943f6c1a2e3c8b8f8040b295a2fda32793a912cdcebe51518f701af977a6f3f433ebfd63a77e08c316ff63fd3
2023-02-22T12:02:26+05:30 INF hash(osqueryd)=3b673b843e49c24dfd77d62ca650b308e332a2922da1ab7610c8b8e3265c0cd51d7575f00dd329efadb1f887883041f83dbde769eaa7c0a11fed3b8394b115c7
2023-02-22T12:02:26+05:30 INF hash(desktop)=bdc45d4df0cfe9e378910931004c734ca2687eac7e4fe8e53c9e475a84f3ededf35414ab2585519827062249c51d042eec5cab8d2ba9a6b3a6c343b0440e7b7f
2023-02-22T12:02:27+05:30 INF update detected target=orbit
2023-02-22T12:02:27+05:30 INF early update check failed error="update orbit: get binary: download \"orbit/windows/stable/orbit.exe\": download target orbit/windows/stable/orbit.exe: Get \"<https://tuf.fleetctl.com/targets/orbit/windows/stable/orbit.exe>\": read tcp 10.10.1.249:56066->138.199.46.75:443: wsarecv: An existing connection was forcibly closed by the remote host."
2023-02-22T12:02:32+05:30 INF update detected target=orbit
hey @Lucas Rodriguez This is a part of the log from the path/file you mentioned.
Copy code
ERR pinging the server error="HEAD /api/fleet/orbit/ping: Head \"<https://fleet.tpsec.co/api/fleet/orbit/ping>\": dial tcp: lookup <http://fleet.tpsec.co|fleet.tpsec.co>: no such host"
this i am able to access by url but ping doesnt work no idea what’s this: osqueryd has unsafe permissions: C:\Program Files\Orbit\bin\osqueryd\windows\stable\osqueryd.exe
l

Lucas Rodriguez

02/22/2023, 11:41 AM
no idea what’s this: osqueryd has unsafe permissions: C:\Program Files\Orbit\bin\osqueryd\windows\stable\osqueryd.exe
This is definitely the issue. Was this running and stopped working all of a sudden? Or was there any recent change that might have caused this?.
o

Ojas

02/22/2023, 12:34 PM
we just pushed fleet desktop to all and i guess thats when this started, earlier it was fine with older agent
nothing else changed the permissions and everything is same
also same agent is working fine on another windows host but this one has issues (like many others)
but how could it run for few any error on others when they all have same policies and permissions 😐
l

Lucas Rodriguez

02/22/2023, 2:58 PM
OK.
we just pushed fleet desktop to all and i guess thats when this started, earlier it was fine with older agent
How was Fleet Desktop pushed?
o

Ojas

02/23/2023, 5:06 AM
via tool for company policies and software installation. Same used for older agents as well.
k

Kathy Satterlee

02/23/2023, 5:17 AM
How did you install
fleetctl
on the machine where your installer was generated (npm, or downloaded the binary)? If
npm
, did you create the package with
sudo
?
o

Ojas

02/23/2023, 5:20 AM
i think i got it by npm and it was not with sudo because my earlier package was without sudo as well
5 Views