• i

    Ibra

    2 months ago
    Trying with docker and node js gives me problems and instead trying in server mode (https://fleetdm.com/docs/deploying/server-installation) as soon as I do the /usr/bin/fleet prepare db part \ --mysql_address=127.0.0.1:3306 \ --mysql_database=fleet \ --mysql_username=root \ --mysql_password=toor?fl33t it tells me Error: No help topic for 'prepare'
  • Keith Swagler

    Keith Swagler

    2 months ago
    It sounds like there may be "help" before the "prepare" command
  • I also see "part" in the command you pasted, which I don't see any docs for and could cause problems
  • i

    Ibra

    2 months ago
    Hi @Keith Swagler, I succeeded to install the preview version with docker (https://fleetdm.com/get-started) but when I click on add node and create the msi file, on windows pc it remains in initializing state and I don't see it among the hosts it shows me. also i would like to know how to implement it in production mode and not in demo mode, i can't find any guides online, could you help me? thanks
  • Keith Swagler

    Keith Swagler

    2 months ago
    Hi Ibra, you can follow the instructions on the deploy page for doing a production deployment https://fleetdm.com/docs/deploying/server-installation
  • i

    Ibra

    2 months ago
    hi @Keith Swagler having rhel 7.9 I downloaded fleetctl_v4.15.0_linux.zipper (https://github.com/fleetdm/fleet/releases/tag/fleet-v4.15.0) but inside there is no linux subfolder nor in the source code folder (https://github.com/fleetdm/fleet/releases/tag/fleet-v4.15.0) as indicated in the code in the installation link you provided me
    unzip fleet.zip 'linux/*' -d fleet
    sudo cp fleet/linux/fleet* /usr/bin/
  • Keith Swagler

    Keith Swagler

    2 months ago
    there isn't a fleet zip file you would want the tar.gz, which is just another compressed file.
  • You can uncompress using
    tar xvf fleet_v4.15.0.tar.gz
  • i

    Ibra

    2 months ago
    Hi @Keith Swagler thanks for your support, I installed it but when I do
    /usr/bin/fleet serve \
      --mysql_address=127.0.0.1:3306 \
      --mysql_database=fleet \
      --mysql_username=root \
      --mysql_password=toor \
      --redis_address=127.0.0.1:6379 \
      --server_cert=/tmp/server.cert \
      --server_key=/tmp/server.key \
      --logging_json
  • i get this massege
  • {"component":"redis","level":"info","mode":"standalone","ts":"2022-06-09T12:09:21.87259795Z"} {"component":"crons","cron":"vulnerabilities","level":"info","software inventory":"not configured","ts":"2022-06-09T12:09:21.939422235Z"} {"level":"info","msg":"metrics endpoint disabled (http basic auth credentials not set)","ts":"2022-06-09T12:09:21.968107573Z"} {"address":"0.0.0.0:8080","msg":"listening","transport":"https","ts":"2022-06-09T12:09:21.968800662Z"}
  • what can i do?
  • Keith Swagler

    Keith Swagler

    2 months ago
    looks like it's working! But listening on port 8080
  • i

    Ibra

    2 months ago
    thanks, now it's working
  • but when i g to do fleetctl package --type=msi --fleet-desktop --fleet-url=https://fleet.ibratech.it --enroll-secret=N6O0IYtIeQ4wmpsvnFXZ+Gw09XwSde3Y
  • I HAVE GOT fleetctl not found
  • @Keith Swagler
  • Keith Swagler

    Keith Swagler

    2 months ago
    fleetctl is a separate package
  • you can download on a server or a workstation
  • i

    Ibra

    2 months ago
    @Keith Swagler once I run the fleetctl command to create the msi package, is it included inside osquery or do I have to install it separately? is there any way to allow pc's to be reached by fleet even if they are not in the same lan, using for example a fqdn or public ip? what are the ports to open on the firewall? how do i see the ports used by fleet? thanks for your support
  • Keith Swagler

    Keith Swagler

    2 months ago
    I think the msi includes everything you need but I'm not sure on that. You can have the clients reach the Fleet server by FQDN and that is the preferred method. The simpliest is just HTTPS 443
  • i

    Ibra

    2 months ago
    @Keith Swagler perfect, when I start the msi will I see the host right away or do I have to do other operation?
  • I keep seeing this situation on the Windows pc
  • message has been deleted
  • Keith Swagler

    Keith Swagler

    2 months ago
    I'm not sure I've never installed that way
  • i

    Ibra

    2 months ago
    Hi @Keith Swagler I think I found the problem, I tried installing osquery on the same machine where fleet is installed, but after generating the rpm package with fleetctl and starting orbit, I noticed that it does not connect to fleet on port 443:
    systemctl status orbit -l
    ● orbit.service - Orbit osquery
       Loaded: loaded (/usr/lib/systemd/system/orbit.service; enabled; vendor preset: disabled)
       Active: active (running) since Thu 2022-06-09 16:26:37 EDT; 3min 33s ago
     Main PID: 8640 (orbit)
        Tasks: 20 (limit: 11268)
       Memory: 19.9M
       CGroup: /system.slice/orbit.service
               ├─8640 /opt/orbit/bin/orbit/orbit
               ├─8645 /opt/orbit/bin/osqueryd/linux/stable/osqueryd --pidfile=/opt/orbit/osquery.pid --database_path=/opt/orbit/osquery.db --extensions_socket=/opt/orbit/orbit-osquery.em --logger_path=/opt/orbit/osquery_log --enroll_secret_>
               └─8649 /opt/orbit/bin/osqueryd/linux/stable/osqueryd
    
    giu 09 16:26:52 test-fleet-01.ibratech.local orbit[8640]: 2022-06-09T16:26:52-04:00 INF start osqueryd cmd="/opt/orbit/bin/osqueryd/linux/stable/osqueryd --pidfile=/opt/orbit/osquery.pid --database_path=/opt/orbit/osquery.db --extension>
    giu 09 16:26:52 test-fleet-01.ibratech.local osqueryd[8645]: osqueryd started [version=5.2.2]
    giu 09 16:26:57 test-fleet-01.ibratech.local orbit[8640]: W0609 16:26:57.937232  8649 tls_enroll.cpp:101] Failed enrollment request to <https://10.0.63.135/api/v1/osquery/enroll> (Request error: Failed to connect to 10.0.63.135:443: Connection refused>
    giu 09 16:26:58 test-fleet-01.ibratech.local orbit[8640]: W0609 16:26:58.988256  8649 tls_enroll.cpp:101] Failed enrollment request to <https://10.0.63.135/api/v1/osquery/enroll> (Request error: Failed to connect to 10.0.63.135:443: Connection refused>
    giu 09 16:27:03 test-fleet-01.ibratech.local orbit[8640]: W0609 16:27:03.044104  8649 tls_enroll.cpp:101] Failed enrollment request to <https://10.0.63.135/api/v1/osquery/enroll> (Request error: Failed to connect to 10.0.63.135:443: Connection refused>
    giu 09 16:27:12 test-fleet-01.ibratech.local orbit[8640]: W0609 16:27:12.095988  8649 tls_enroll.cpp:101] Failed enrollment request to <https://10.0.63.135/api/v1/osquery/enroll> (Request error: Failed to connect to 10.0.63.135:443: Connection refused>
    giu 09 16:27:28 test-fleet-01.ibratech.local orbit[8640]: W0609 16:27:28.154523  8649 tls_enroll.cpp:101] Failed enrollment request to <https://10.0.63.135/api/v1/osquery/enroll> (Request error: Failed to connect to 10.0.63.135:443: Connection refused>
    giu 09 16:27:53 test-fleet-01.ibratech.local orbit[8640]: W0609 16:27:53.206271  8649 tls_enroll.cpp:101] Failed enrollment request to <https://10.0.63.135/api/v1/osquery/enroll> (Request error: Failed to connect to 10.0.63.135:443: Connection refused>
    giu 09 16:28:29 test-fleet-01.ibratech.local orbit[8640]: W0609 16:28:29.254662  8649 tls_enroll.cpp:101] Failed enrollment request to <https://10.0.63.135/api/v1/osquery/enroll> (Request error: Failed to connect to 10.0.63.135:443: Connection refused>
    giu 09 16:29:18 test-fleet-01.ibratech.local orbit[8640]: W0609 16:29:18.307225  8649 tls_enroll.cpp:101] Failed enrollment request to <https://10.0.63.135/api/v1/osquery/enroll> (Request error: Failed to connect to 10.0.63.135:443: Connection refused>
  • the port however is open, I can't find the fleet configuration file nor the log files to understand why it refuses connection on 443
    firewall-cmd --list-all
    public (active)
      target: default
      icmp-block-inversion: no
      interfaces: ens192
      sources:
      services: cockpit dhcpv6-client ssh
      ports: 8080/tcp 443/tcp
      protocols:
      forward: no
      masquerade: yes
      forward-ports:
      source-ports:
      icmp-blocks:
      rich rules:
  • can you help me?
  • Keith Swagler

    Keith Swagler

    2 months ago
    By default Fleet listens on 8080, you can redirect from firewall-cmd by doing
    firewall-cmd --add-forward-port=port=443:proto=tcp:toport=8080
  • Or use a WAF/reverse proxy
  • i

    Ibra

    2 months ago
    @Keith Swagler currently i was able to add 2 external hosts (windows, rhel) not connected to the same lan via fqdn with port 8080 using --insecure in fleetctl command otherwise it kept telling me it can't verify the certificate. since I plan to balance the server with F5, the ssl certificate will be installed on the balancer and not on the server, is there any way to use fleet without the certificate in the fleet.service file configuration? or how do i properly configure the certificate within the agent to communicate with the balancer? since the server is balanced in ssl offloading mode?
  • Keith Swagler

    Keith Swagler

    2 months ago
    You can include the certificate when generating the package in fleetctl using --fleet-certificate. I'm not familiar with F5s specifically but you can either have the certificate on the server or disable strict host checking between the F5 and the Fleet server
  • i

    Ibra

    2 months ago
    Should I download the certificate from here and put it in path on the server such as /tmp/fleet.pm and put it in fleetctl command as you indicate?
  • message has been deleted
  • @Keith Swagler
  • this is the situation I want to have (in black), when there is no balancer in the middle (in red) entering the --fleet-certificate option tells me error verifing certificate after downloading it from the screenshot above
  • Keith Swagler

    Keith Swagler

    2 months ago
    most of the time certificate errors are: • not matching hostname • not trusting certificate (self-signed)
  • OSQuery should trust any cert that you package it with in fleetctl, as long as it is the same one being hosted
  • i

    Ibra

    2 months ago
    @Keith Swagler i will use le'ts encrypt r3