Channels
- d
demonbhao
1 year agoHello, may I ask if I deleted the pack pack on fleet UI, but the log of pack pack query will still be generated? What's the situation? 
Noah Talerman
1 year agoHi demonbhao. Do you mind walking me through the steps you took from deleting the pack within the Fleet UI to viewing the generated log output?- d
demonbhao
1 year agoOk, on my side, I first logged on to the Fleet UI to pause the pack query, and then I went back to the Fleet server and found that the logs were still sent (Figure 1).Later I deleted the Pack query directly, but the Fleet server still sent the query log.Figure 2 shows the Pack shown on the Fleet UI
Can someone help me please?This problem has been bothering me for a long time and now the log data is contaminated Noah Talerman
1 year agoSorry for the delayed response. I’m brining up this question with the Fleet team
@User are the logs from the deleted pack still being sent? Sometimes, users encounter a lag after deleted a pack because osquery hasn’t reloaded the configuration (so it knows which queries to run). This lag would result in the logs from deleted packs still being sent before the configuration is reloaded.- d
demonbhao
1 year agoHello, the log is still being sent. It has been going on for several days
Even when I updated Fleet to the latest version 3.5.1, logs continued to be generated in ELK.I don't have this query package in the red flag Noah Talerman
1 year agoAre the two enabled query packs (
andGeneral indicators
) also generating logs in kibana? I wonder if the machines generating theossec_rootkit
logs have had their osquery configuration changed since you deleted this query pack. Meaning they know that the only query packs they should be running are the two in your second screenshot. I’m going to attempt to recreate your issue later today.listening_external_port_V1- d
demonbhao
1 year agoMy God, I came to check Elk's log today and found that the deleted pack package is finally not querying I really appreciate your help Noah Talerman
1 year agoGreat! The issue seems like an odd one to me. Glad it’s resolved. Do you mind adding your last message in the GitHub issue and closing that issue?
View count: 1