This message was deleted.

Hi all! I just upgraded to 4.40.0, but I am not seeing the new tables (falcon_kernel_check, firefox_preferences, etc.). Are these new tables only available with Premium, or is there something I missed in the upgrade process? Apologies in advance if I missed this in the documentation.

Hi, I suddenly started to receive an error in my Fleet server, which says: {"component":"http", "err":"authentication error: find host: context cancelled", "level": "info", "path":"/api/v1/osquery/distributed/read", "ts:"<time>", "uuid":"<uuid>"} I checked my MySql server and it seems fine. What can be the source of the problem and what can I do to fix it?

Also when I look at mysql logs i get the folowing warning mysqld Forcing close of thread <ID> user: 'fleet'

Getting an “unknown system error -86” on a machine im trying to download fleetctl to. Just need to install the agent on this one. Error code pasted below NOTE: this is an M2 chip

🏗️ New commits pushed to Fleet »

running successfully but still url phase is not loading what is the problem?

page*

any help? https://osquery.slack.com/archives/C01DXJL16D8/p1700574366594369

Hey everyone 👋 I'm trying to configure Fleet MDM for SOC 2 compliance. It's important that the agent that's installed on users' devices has minimal capabilities, and that it can't possible be abused, even in theory. Is there any way to restrict the agent's capabilities to a handful of queries? I've been reading the relevant fleet and osquery docs, but it's not clear to me if the agent executable is actually restricted. If this is the wrong route, do you have any other recommendations for restricting the agent?

Hello, I want to connect host to fleet in my local for osquery. In the manual, the command to connect (ubuntu) is bellow but some error • command: fleetctl package --type=rpm --fleet-url=https://localhost:XXXX --enroll-secret=XXXX • error: No help topic for 'package' how can i fix this?

Hello, I'm looking for WebKit settings on macOS, except Safari extensions I can't see any query giving me access to the WebKit specific environment (proxy, DNS settings...) which are separate from the OS. The use case is Safari, Mail, AppStore and our MDM are behaving differently than Chrome on macOS and we would need to access the WebKit specific information to quickly isolate misconfigured machines

Hi, possibly silly question. Do you need a windows machine to generate the fleet packages? Command I'm running on macOS

fleetctl package --type msi --fleet-desktop --fleet-url=<https://fleet.onrender.com> --enroll-secret=someecret

Error:
Generating your osquery installer...
Windows Installer XML Toolset Toolset Harvester version
Copyright (c) .NET Foundation and contributors. All rights reserved.


=================================================================
	Native Crash Reporting
=================================================================
Got a UNKNOWN while executing native code. This usually indicates
a fatal error in the mono runtime or one of the native libraries
used by your application.
=================================================================

=================================================================
	Managed Stacktrace:
=================================================================
=================================================================
wine client error:29: write: Bad file descriptor
Error: package root files: heat failed: exit status 1

🏗️ New commits pushed to Fleet »

set the channel topic: ☁️ 🚀 The latest version of Fleet is 4.41.0. More info: https://github.com/fleetdm/fleet/releases/tag/fleet-v4.41.0 Upgrade now: https://fleetdm.com/docs/deploying/upgrading-fleet

Hi all, I heard recently about #fleeetm opensource, doing very well... Would like to try to setup in my network.. I am using the below docker compose in my env for the setup.. https://github.com/ksatter/fleet-docker/tree/defcon30 fleet server setup completed without any issues.. But when adding any host to fleet dm getting below error .. Any one can point me the right direction... appreciate your assistance on this.. I tried --insecure=true also still getting the same Client side error: PFA screenshot

Hi, I'm new to this community and new to using fleets. I have windows hosts to integrate into MDM, I have activated the integration but the status mdm of the hosts is always "off", can you help me?

<!here> As mentioned a couple weeks ago, Fleet 4.41 is a mandatory update for Fleet’s vulnerability management features. This is due to changes in the National Vulnerability Database APIs that Fleet uses. If you’re not currently using Fleet’s vulnerability management features, no action is required. As a reminder, vulnerability management features require that the Fleet server has at least 4GB of memory and 2GB of disk space (as per Fleet’s reference architecture). Before upgrading, please check to make sure that your Fleet server meets these requirements. Please let us know if you have any questions!

Hello there, Recently I tried to register my device (using localhost URL --> 'fleetctl package --type=pkg --fleet-desktop --fleet-url=http://localhost:8080 --enroll-secret=XXX) but it appears the following: (The secret it's auto-generated when you click 'Add hosts')

Someone can help me please? Thx!!!! 🙂

🏗️ New commits pushed to Fleet »

Something I wanted to throw out as a suggestion - I know we can search queries by name in Fleet, but it would be nice if I could search the contents of multiple queries. For example, I would like to see if I am running any queries that look in a certain table. Or, it would be good if I could see if there are duplicate queries (Example: Someone downloads a query from Palantir and renames it, and then someone else downloads the same query from Palantir).

Hello, I noticed that when

orbit

starts

osqueryd

on macOS, it sets `--disable_carver=false`:

% ps -ax | grep osquery
87960 ??         0:00.06 /opt/orbit/bin/osqueryd/macos-app/stable/osquery.app/Contents/MacOS/osqueryd --pidfile=/opt/orbit/osquery.pid --database_path=/opt/orbit/osquery.db --extensions_socket=/opt/orbit/orbit-osquery.em --logger_path=/opt/orbit/osquery_log --enroll_secret_env ENROLL_SECRET --host_identifier=uuid --tls_hostname=<http://glycine.wesleyan.edu|glycine.wesleyan.edu> --enroll_tls_endpoint=/api/v1/osquery/enroll --config_plugin=tls --config_tls_endpoint=/api/v1/osquery/config --config_refresh=60 --disable_distributed=false --distributed_plugin=tls --distributed_tls_max_attempts=10 --distributed_tls_read_endpoint=/api/v1/osquery/distributed/read --distributed_tls_write_endpoint=/api/v1/osquery/distributed/write --logger_plugin=tls,filesystem --logger_tls_endpoint=/api/v1/osquery/log --disable_carver=false --carver_disable_function=false --carver_start_endpoint=/api/v1/osquery/carve/begin --carver_continue_endpoint=/api/v1/osquery/carve/block --carver_block_size=8000000 --tls_server_certs /opt/orbit/certs.pem --augeas_lenses /opt/orbit/lenses --force --flagfile /opt/orbit/osquery.flags

In an attempt to disable file carving, I added

--disable_carver=true

to `osquery.flags`:

% sudo cat /opt/orbit/osquery.flags
--disable_carver=true

Then restarted `orbit`:

sudo launchctl unload /Library/LaunchDaemons/com.fleetdm.orbit.plist
sudo launchctl load /Library/LaunchDaemons/com.fleetdm.orbit.plist

However, when

orbit

starts

osqueryd

, it still passes the

--disable_carver=false

flag. If there's a conflict between the command-line flags and the contents of

--flagfile

, which wins? Does it matter which order they're specified? Is there a way to tell for sure that carving is disabled? Thanks!

hello, does anyone know why this query would work locally with

osqueryi

, but not when run in Fleet as a distributed query? I’ve tested other distributed queries on the host and it returns results

SELECT
  f.path
FROM
  file AS f
JOIN
  mdfind ON mdfind.path = f.path AND mdfind.query = "kMDItemDisplayName == 'ids.csv'";

running

fleet:v4.38.1

🏗️ New commits pushed to Fleet »

Hi, I've an issue with software inventory on Linux hosts. Querying the installed packages via fleet works. However, the software inventory stays blank for newly added Linux hosts and shows outdated data for existing Linux hosts. I'm not sure were to start to investigate the issue. Any help appreciated. Thanks.

Hi all - got a question from my IT team: Can the paid edition of Fleet manage phones?

I recently upgraded from fleetdm v4.11 to latest. I am taking a look at the results from the per_query_perf query I have scheduled which seems to contain queries from legacy packs (LinuxPack, mac-pack, windows-pack, etc). I am sending the result.log via a splunk UF on the server hosting fleet. when i run the GET schedule API I was thinking the legacy packs would be there so I can stop them, but they were not. are the packs managed solely by fleetctl? or are they supposed to be running in the background by design?

set the channel topic: ☁️ 🚀 The latest version of Fleet is 4.41.1. More info: https://github.com/fleetdm/fleet/releases/tag/fleet-v4.41.1 Upgrade now: https://fleetdm.com/docs/deploying/upgrading-fleet