Channels
  • r

    Ryan

    10 months ago
    After upgrading to v4 we're seeing a lot of these logs in the Fleet journal:
    fleet[14715]: level=info ts=2021-07-29T09:48:04.444973864Z component=service method=AuthenticateHost ip_addr=10.9.0.64:49157 x_for_ip_addr= err="authentication error: missing node key" took=20.913µs
    Several nodes appear to be offline. The enrol secret appears to be correct, so I'm not quite sure what has happened here. Does anyone have any suggestions? Thanks.
  • Rachel Perkins

    Rachel Perkins

    10 months ago
    Hmm, can you use
    --verbose --tls_dump
    as documented in this FAQ question to get more details? https://github.com/fleetdm/fleet/blob/main/docs/2-Deploying/FAQ.md#why-arent-my-osquery-agents-connecting-to-fleet
  • r

    Ryan

    10 months ago
    I'll give that a try shortly. Weirdly enough over night the problem seems to have stopped, and we're now seeing this being logged intermittently instead:
    Jul 30 10:17:58 de-kolide-fleet-01 fleet[14715]: 2021/07/30 10:17:58 http: TLS handshake error from 10.230.34.204:40996: local error: tls: bad record MAC
    Jul 30 10:17:58 de-kolide-fleet-01 fleet[14715]: 2021/07/30 10:17:58 http: TLS handshake error from 10.230.34.204:40998: local error: tls: bad record MAC
    Jul 30 10:17:59 de-kolide-fleet-01 fleet[14715]: 2021/07/30 10:17:59 http: TLS handshake error from 10.230.34.204:41000: local error: tls: bad record MAC
    Jul 30 10:17:59 de-kolide-fleet-01 fleet[14715]: 2021/07/30 10:17:59 http: TLS handshake error from 10.230.34.204:41002: local error: tls: bad record MAC
    Jul 30 10:18:03 de-kolide-fleet-01 fleet[14715]: 2021/07/30 10:18:03 http: TLS handshake error from 10.230.34.204:41008: local error: tls: bad record MAC
    Jul 30 10:18:03 de-kolide-fleet-01 fleet[14715]: 2021/07/30 10:18:03 http: TLS handshake error from 10.230.34.204:41010: local error: tls: bad record MAC

    but all the hosts appear to be online and responding to queries, so I'm not sure about this
    i'll try running verbose and tls_dump flags on that node
    ok - false alarm, this is an old CentOS 6 node I decommissioned, it's not been terminated yet, so false alarm, that's cleared all the errors 🙂
    I'm still not sure why the
    authentication error: missing node key
    error fixed itself over night, but happy to chalk that up to upgrade fun and games 🙂
View count: 15