Most installs of Redis should have plenty of spare memory to not run into issues. To fix this, we recommend disabling the buffer size limit. If this buffer is filled, extra data is dropped. ![]() Redis has an internal buffer limit for pubsub that Fleet uses to communicate query results. I'm only getting partial results from live queries For example, when using Node.js ± Sails.js, you can work around this in the requests you're sending with await () by lifting your app with the NODE_TLS_REJECT_UNAUTHORIZED environment variable set to 0: NODE_TLS_REJECT_UNAUTHORIZED=0 sails console ![]() The exact solution to this depends on the request client you are using. To get your proxy server's HTTP client to work with a local Fleet when using a self-signed cert, disable SSL / self-signed verification in the client. Seeing your proxy's requests fail with an error like DEPTH_ZERO_SELF_SIGNED_CERT)? If osquery has been deployed with the full certificate chain (using -tls_server_certs), deploying a new certificate chain is necessary to allow for verification of the new certificate.ĭeploying a certificate chain cannot be done centrally from Fleet. If the both the existing and new certificates verify with osquery's default root certificates (such as a certificate issued by a well-known Certificate Authority) and no certificate chain was deployed with osquery, there is no need to deploy a new certificate chain. Does the certificate verify with curl? Try curl -v -X POST What do I need to do to change the Fleet server TLS certificate?.Is Fleet behind a load-balancer? Ensure that if the load-balancer is terminating TLS, this is the certificate provided to osquery.If osquery connects via but the certificate is for, the verification will fail. Ensure that the CNAME or one of the Subject Alternate Names (SANs) on the certificate matches the address at which the server is being accessed.In all cases it can be a useful debugging step. This is often unnecessary when using a certificate signed by an authority trusted by the system, but is mandatory when working with self-signed certificates. Try specifying the path to the full certificate chain used by the server using the -tls_server_certs flag in osqueryd.For the safety of osquery deployments, there is no (convenient) way to circumvent this check. Osquery requires that all communication between the agent and Fleet are over a secure TLS connection. How do I fix "certificate verify failed" errors from osqueryd? This error is common when setting up Fleet servers and accepting defaults when generating certificates using openssl. bad record MAC: When generating your certificate for your Fleet server, ensure you set the hostname to the FQDN or the IP of the server.certificate verify failed: See How do I fix "certificate verify failed" errors from osqueryd.Check what osquery is sending by looking in the logs near this error. No node key returned: Typically this indicates that the osquery client sent an incorrect enroll secret that was rejected by the server.Is the server listening on an address that is available from the host running osquery? Do you have a load balancer that might be blocking connections? Try testing with curl. Connection refused: The server is not running, or is not listening on the address specified.The best way to debug is usually to add -verbose -tls_dump to the arguments provided to osqueryd and look at the logs for the server communication. This can be caused by a variety of problems. Why aren't my osquery agents connecting to Fleet? Read the performance documentation for more. Note that osquery logs will be distributed across the Fleet servers. Fleet scales horizontally out of the box as long as all of the Fleet servers are connected to the same MySQL and Redis instances. Can multiple instances of the Fleet server be run behind a load-balancer? How do I get support for working with Fleet?įor bug reports, please use the Github issue tracker.įor questions and discussion, please join us in the #fleet channel of osquery Slack. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |