OSquery enrollment issues - Fresh installation

OSquery enrollment issues - Fresh installation

Below are a few guidelines to troubleshoot osquery communication issues. 


Upon osquery fresh installation if you are not seeing the  asset online in uptycs portal, please follow below steps. 


1)Asset Group Access: Check the asset group of the  Package or the endpoint and ensure that as a user you have access;  to that asset group

    in which endpoint is expected to be enrolled. 

           if you do not have visibility to that asset group, you can configure access in  Users >> Edit >> Associated Asset Groups - select Add asset group drop down  - and select relevant asset group.  Logout and Login, You should be able to see asset online in your dashboard - asset listing page. 


2)Osquery permission on asset: Check if there are permission issues in an asset to for osqueryd daemon or  service( in case of windows ) for it to run properly.  osqueryd daemon should be running under root user ( or with administrative privilege's).


3)Missing - Flag and Config file:  OSquery package can be downloaded in two flavors i.e  Binary along with Flag Files and uptycs secret file , or Just the Binary files.  The package with just binary files is often used during upgrades. But if that was used during fresh install, osqueryd fail to initialize, and the endpoint will not be communicating to uptycs. 

You can unzip the DEB, RPM packages and check if it is missing osquery.flags and uptycs.secret file. 

Same check can be done on endpoint at below locations : 


Mac/Linux : /etc/osquery/osquery.flags 

Windows: C:\Program Files (x86)\Uptycs\osquery\conf 


4)proxy_hostname and tls_hostname: If the endpoint is expected to connect to uptycs server over a proxy,  Please check / test proxy configuration from the endpoint. 

      4.a) check proxy_hosname and tls_hostname value in flag file. if these values are correct 


            Use Telenet and curl command to test the connectivity as below : 

             

                   user@my-server:/ telenet   mycompany.uptycs.io 443 

          

          You can also do curl command to request HTTP REST API: which, can provide more details if the request is failing 

curl -i https://mycompany.uptycs.io/agent/enroll


Anytime out issues above, will indicate that the networkpath between endpoint and uptycs server not functional and needs assistance from it /network team. 


    4.b) Asset group specific - tls_hostname : Sometimes, if there are different business units/geographies need to connect uptycs server via a forward proxy.  Thus there will be a custom tls_hostname for that business unit/Geograhpy under an asset group name.  Means instead of mycompany.uptycs.io - configuration might be  mycomanyinEurope.uptycs.io. 


5) Errors from osquery worker logs:  osqueryd worker logs can provide additional details, few sample error log message to look for, which will indicate localized connectivity issues on the endpoint: 

               

W1118 21:18:57.814241 19059 fast_buffered.cpp:121] Error sending 24 results: Request error: selectBestConnectionSetting failed to find suitable connection: Transport endpoint is not connected