[2.3] osquery adding windows 10 machine #1735
-
|
Distributed environment manager, 2 query, one fleet. Downloaded the MSI to a windows client and ran the install. I do not see it register in fleet. event log orginally showed it could not find the hostname -- added it to hosts file, removed msi, deleted file structure and re-installed. Working on trouble shooting - from the windows client should I be able to telnet to the fleet server using port 8090? Event viewer shows x,x,x,x:8090: i/o timeout"" where x.x.x.x is the ip address of my fleet server. I did run so-allow on manager to add the windows client as osquery. Did I miss a step? |
Beta Was this translation helpful? Give feedback.
Replies: 5 comments 5 replies
-
|
sudo salt-call pillar.get global:url_base show the mangers IP and the MSI is trying to go the the fleet's ip. |
Beta Was this translation helpful? Give feedback.
-
|
TransientFailure, latest connection error: connection error: desc = "transport: authentication handshake failed: x509: certificate is valid for somanager01, not sofleet01"" -- this looks like an issue with distributed environment? |
Beta Was this translation helpful? Give feedback.
-
|
checking the firewall on the sofleet machine - I do not see the address range I added with so-allow on the somanager for osquery. Chain DOCKER-USER (1 references) |
Beta Was this translation helpful? Give feedback.
-
|
I ran so-allow on the fleet manager and added my windows 10 machine - everything seems to be working now. So my guess is you still need to run so-allow on the fleet machine separately from the manager. |
Beta Was this translation helpful? Give feedback.
-
|
@tommorgan365 I know that you already got it working, but would you mind describing your setup a little more? Did you initially have Fleet on the Manager, then, you stood up a Standalone Fleet Node? Not sure what you meant when you say you have |
Beta Was this translation helpful? Give feedback.
-
|
Hello
Four severs - one manager ,two search nodes and a separate fleet node. Started out with fleet node. My confusion is where you run the so-allow when you have a separate fleet node. Started running it on the manager - then realized the firewall rules were not being pushed to the fleet server. I had to add os query to the fleet server using so- allow.
Get Outlook for iOS<https://aka.ms/o0ukef>
…________________________________
From: Josh Brower <[email protected]>
Sent: Saturday, October 31, 2020 7:52:56 AM
To: Security-Onion-Solutions/securityonion <[email protected]>
Cc: Morgan, Tom <[email protected]>; Mention <[email protected]>
Subject: Re: [Security-Onion-Solutions/securityonion] [2.3] osquery adding windows 10 machine (#1735)
You are receiving an email from an outside source. Please use caution before opening any attachments or links.
________________________________
@tommorgan365<https://github.com/tommorgan365> I know that you already got it working, but would you mind describing your setup a little more? Did you initially have Fleet on the Manager, then, you stood up a Standalone Fleet Node? Not sure what you meant when you say you have 2 query, one fleet ?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#1735 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AGIKDSWHDG4OIJJT6NQAM2LSNQCCRANCNFSM4TEBAE3A>.
The contents and any attachments of this electronic mail message are confidential and may be privileged and intended only for the named addressees. Dissemination, forwarding, publication, copying or other use of the message or attachments by any unauthorized person is strictly prohibited. If you are not the intended recipient of this email, please delete this message and any attachments and notify the sender immediately. Internet emails are not necessarily secure. Darling Ingredients Inc. does not accept responsibility for changes made to this message after it was sent. No liability is accepted for any harm that may be caused to your systems or data by this email. It is the recipient’s responsibility to scan this email and any attachments for computer viruses. Darling Ingredients Inc. accepts no liability for personal emails. Darling Ingredients Inc. may monitor emails for compliance and other purposes. Please keep in mind our natural resources. Don’t print this email if it is not necessary.
|
Beta Was this translation helpful? Give feedback.
-
|
Which server did you install first? The Manager or the Fleet node? |
Beta Was this translation helpful? Give feedback.
-
|
The manager was first.
Get Outlook for iOS<https://aka.ms/o0ukef>
…________________________________
From: Josh Brower <[email protected]>
Sent: Saturday, October 31, 2020 1:45:17 PM
To: Security-Onion-Solutions/securityonion <[email protected]>
Cc: Morgan, Tom <[email protected]>; Mention <[email protected]>
Subject: Re: [Security-Onion-Solutions/securityonion] [2.3] osquery adding windows 10 machine (#1735)
You are receiving an email from an outside source. Please use caution before opening any attachments or links.
________________________________
Which server did you install first? The Manager or the Fleet node?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#1735 (reply in thread)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AGIKDSQOFXLGP56FKIBZ7KLSNRLL3ANCNFSM4TEBAE3A>.
The contents and any attachments of this electronic mail message are confidential and may be privileged and intended only for the named addressees. Dissemination, forwarding, publication, copying or other use of the message or attachments by any unauthorized person is strictly prohibited. If you are not the intended recipient of this email, please delete this message and any attachments and notify the sender immediately. Internet emails are not necessarily secure. Darling Ingredients Inc. does not accept responsibility for changes made to this message after it was sent. No liability is accepted for any harm that may be caused to your systems or data by this email. It is the recipient’s responsibility to scan this email and any attachments for computer viruses. Darling Ingredients Inc. accepts no liability for personal emails. Darling Ingredients Inc. may monitor emails for compliance and other purposes. Please keep in mind our natural resources. Don’t print this email if it is not necessary.
|
Beta Was this translation helpful? Give feedback.
-
|
Is that the correct order with a separate fleet server ? |
Beta Was this translation helpful? Give feedback.
-
|
Yep. Will get this further documented this week. |
Beta Was this translation helpful? Give feedback.
checking the firewall on the sofleet machine -
I do not see the address range I added with so-allow on the somanager for osquery.
Chain DOCKER-USER (1 references)
target prot opt source destination
ACCEPT tcp -- sofleet anywhere tcp dpt:8090
ACCEPT tcp -- x.x.x.x anywhere tcp dpt:8090
ACCEPT tcp -- x.x.x.x anywhere tcp dpt:8090
ACCEPT tcp -- somanager anywhere tcp dpt:8090
ACCEPT tcp -- sofleet anywhere tcp dpt:8090