Hi,
running live query to Windows Elastic Agents: select * from bitlocker_info;
From the 27 targetted hosts, only 5 or so reply with a result set, the others don't seem to return anything.
For a host that doesn't return anything, I see in the logs:
14:41:37.740 elastic_agent.osquerybeat [elastic_agent.osquerybeat][debug] resetable action handler: execute
14:41:37.740 elastic_agent.osquerybeat [elastic_agent.osquerybeat][debug] Execute query: select * from bitlocker_info;
14:41:37.740 elastic_agent.osquerybeat [elastic_agent.osquerybeat][debug] osquery connect, query: select * from bitlocker_info;, timeout: 1m0s
14:41:37.740 elastic_agent.osquerybeat [elastic_agent.osquerybeat][debug] attempt 1 out of 11
14:41:37.740 elastic_agent.osquerybeat [elastic_agent.osquerybeat][debug] attempt 1 out of 11 succeeded
14:41:37.756 elastic_agent.osquerybeat [elastic_agent.osquerybeat][debug] using cached column types for query: select * from bitlocker_info;
14:41:37.756 elastic_agent.osquerybeat [elastic_agent.osquerybeat][debug] Completed query in: 15.8065ms
14:41:37.756 elastic_agent.osquerybeat [elastic_agent.osquerybeat][info] 0 events sent to index logs-osquery_manager.result-default
14:41:40.052 elastic_agent.osquerybeat [elastic_agent.osquerybeat][warn] Error retreiving information from WMI.
From a host I get a result set returned, I see:
15:54:39.470 elastic_agent.osquerybeat [elastic_agent.osquerybeat][debug] resetable action handler: execute
15:54:39.471 elastic_agent.osquerybeat [elastic_agent.osquerybeat][debug] Execute query: select * from bitlocker_info;
15:54:39.471 elastic_agent.osquerybeat [elastic_agent.osquerybeat][debug] osquery connect, query: select * from bitlocker_info;, timeout: 1m0s
15:54:39.471 elastic_agent.osquerybeat [elastic_agent.osquerybeat][debug] attempt 1 out of 11
15:54:39.471 elastic_agent.osquerybeat [elastic_agent.osquerybeat][debug] attempt 1 out of 11 succeeded
15:54:39.531 elastic_agent.osquerybeat [elastic_agent.osquerybeat][debug] using cached column types for query: select * from bitlocker_info;
15:54:39.531 elastic_agent.osquerybeat [elastic_agent.osquerybeat][debug] Completed query in: 59.6141ms
15:54:39.531 elastic_agent.osquerybeat [elastic_agent.osquerybeat][info] 1 events sent to index logs-osquery_manager.result-default
15:54:49.635 elastic_agent.osquerybeat [elastic_agent.osquerybeat][debug] Completed dialing successfully
15:54:49.681 elastic_agent.osquerybeat [elastic_agent.osquerybeat][debug] PublishEvents: 1 events have been published to elasticsearch in 149.383ms.
15:54:49.688 elastic_agent.osquerybeat [elastic_agent.osquerybeat][debug] ackloop: return ack to broker loop:1
15:54:49.688 elastic_agent.osquerybeat [elastic_agent.osquerybeat][debug] ackloop: done send ack
it looks very much the same, no hint, on why one host doesn't send output to that query, but the other one not.
To this query for example, both hosts reply properly:
select * from kernel_info;
using ELK Stack 8.14.2
Anyone with an idea why only a few hosts respond properly?
Sebastian