Channels
  • r

    RyanMcG

    11 months ago
    Hi there, I am trying to setup a demo security onion solution as a proof concept for my workplace and have managed to connect a machine running RHEL without any issues but when running the MSI launcher on a Windows Server 2016 instance it just doesn't seem to add it to the fleet at all? Has anyone else ran into issues trying to add a 2016 Windows Server machine to the fleet using just the launcher provided by SO?
    For e.g. all I had to do to connect the RHEL machine to the fleet was download and run the launcher after using so-allow to allow osquery connections and I was under the impression that it'd be the same process for adding the Windows Server 2016 machine?
  • zwass

    zwass

    11 months ago
    @defensivedepth builds SO and may know more
  • r

    RyanMcG

    11 months ago
    Okay thanks @zwass!
  • defensivedepth

    defensivedepth

    11 months ago
    @RyanMcG check under the Application eventlog on the Windows Server - restart the Kolide Launcher service and you should see logs there.
  • r

    RyanMcG

    11 months ago
    Firstly, thanks for helping @defensivedepth, and according to the logs the launcher configuration completed successfully but I did notice a pile of NULL values, which I can only assume aren't supposed to be there?
  • defensivedepth

    defensivedepth

    11 months ago
    @RyanMcG are you seeing logs that state that it successfully connected? Once connected, you should see logs about scheduled queries running every so often, etc
  • r

    RyanMcG

    11 months ago
    It doesn't look like the actual connection was successful, I have attached a couple of log snippets below. Yesterday I thought i'd test out a Windows 10 Pro OS Instance just to see if the launcher was essentially all i needed to setup the connection and it worked as expected which leads me to think there might be some support issues with the specific release of Windows Server 2016 that I was using to test?
  • defensivedepth

    defensivedepth

    11 months ago
    Yes that is very possible. What version of SO are you on?
  • r

    RyanMcG

    11 months ago
    sorry for the late reply, i'm using version - 2.3.52
  • defensivedepth

    defensivedepth

    11 months ago
    Can you regenerate the osquery packages and then try to reinstall? Run the following on the manager:
    sudo salt-call state.apply fleet.event_gen-packages