Hello everyone! 😄 I am having a strange issue... I already added multiple hosts to fleet (generated a installer .msi and .deb with fleetctl). Fleet can detect software on my windows hosts, but my ubuntu hosts can't detect it. Does someone have any suggestion on this?

Hi @Ricardo Carvalho! Are you able to live query the Linux hosts?

It seems yes... I was able to query "SELECT * FROM osquery_info;" for the host shown above and got this results.

Thanks! Are you seeing any errors in the Fleet server logs or the osquery status logs for those hosts?

In my fleet logs I found this, is it of some help?

level=error ts=2023-02-24T16:47:15.496985412Z component=http method=POST uri=/api/v1/osquery/distributed/write took=1m8.170772473s ip_addr=10.244.3.0 x_for_ip_addr=10.244.3.0 ingestion-err="campaign stopped" ingestion-err="ingesting query software_linux: update host software: get software: context canceled" ingestion-err="ingesting query disk_encryption_linux: update: context canceled" ingestion-err="ingesting query users: update host users: create transaction: context canceled" err="error in query ingestion || error in query ingestion || error in query ingestion || error in query ingestion || create transaction: context canceled || save host with id 616: context canceled"

It does! It definitely looks like something is preventing those hosts from updating. There may be more information in the Orbit logs on the host.

Now the error is clear 🙂 It can't read the fleet certificate, because it doesn't exist in the machine. Even though this happens I was careful in specifying the path to the certificate when generating the .deb file with fleetctl. Will insert it manually and see how it goes, thanks!

Let me know what happens!

I think the fleet secret is also not set correctl, with these logs ir must be it, isn’t it? I already tried to add enroll_secret_path os osquery.flags in /opt/orbit, didn’t help it.

That’s just telling us that the enrollment failed, are there any corresponding logs in Fleet?

Hello @Kathy Satterlee! Sorry, I didn't put much work into this recently, yet I tried to resolve the issue but without success. It appears to me that these are the most relevant logs:

level=error ts=2023-03-06T12:32:59.525524968Z query=fleet_detail_query_disk_encryption_linux message="distributed query is denylisted" hostID=879

level=error ts=2023-03-06T12:32:59.525643868Z query=fleet_detail_query_network_interface_unix message="distributed query is denylisted" hostID=879

level=error ts=2023-03-06T12:33:00.218312788Z query=fleet_detail_query_network_interface_unix message="distributed query is denylisted" hostID=879

level=error ts=2023-03-06T12:33:00.218542088Z query=fleet_detail_query_disk_encryption_linux message="distributed query is denylisted" hostID=879

level=error ts=2023-03-06T12:34:07.300702754Z component=http method=POST uri=/api/v1/osquery/distributed/write took=1m7.840825507s ip_addr=10.244.3.1 x_for_ip_addr=10.244.3.1 ingestion-err="ingesting query software_linux: update host software: insert software: context canceled" ingestion-err="ingesting query users: update host users: create transaction: context canceled" err="error in query ingestion || error in query ingestion || create transaction: context canceled || save host with id 879: context canceled"