• j

    Jean M

    1 year ago
    Hi, I’ve some decorators configured (remote tls config), however, scheduled queries are not sending all expected decorators, the config is:
    spec:
      config:
        decorators:
          load:
            - SELECT uuid AS host_uuid FROM system_info
            - SELECT hardware_serial FROM system_info LIMIT 1
          always:
            - >-
              SELECT user AS username FROM logged_in_users WHERE user <> '' ORDER BY
              time DESC LIMIT 1
          interval:
            '3600':
              - SELECT hostname FROM system_info LIMIT 1
    ...
    I’ve also restarted osqueryd, and tried to remove the DB before restarting, is there anything I can do to know which decorators it is considering or the cause of the issue? I may add that it is working for two other hosts and they are using the same configuration 🤔 It is only including the
    hostIdentifier
    in the scheduled query results (I guess it’s the default?) thanks!
  • s

    seph

    1 year ago
    I’d try testing them one at a time, and seeing if anything works or fails.
  • I also can’t remember it the interval stuff needs to be a number or if the string form is okay. I remember it’s a bit weird
  • j

    Jean M

    1 year ago
    OK, after a couple hours debugging.. I noticed that the hosts working OK were just Linux, could not find anything suspicious in the logs, however I suspected that the remaining configuration which has OS specific ATC definitions could be broken.. removing all this section from the config it started working.
  • It seems that if there’s some problem in the OS specific ATC tables (or in the config in general?) osquery will silently fail to load remote config : /
  • After more debugging, it seems to be a bug in fleetdm and not a problem in osquery (https://github.com/fleetdm/fleet/issues/677).
  • s

    seph

    1 year ago
    Glad you found it