https://github.com/osquery/osquery logo
Join Slack
Powered by
Hey! On what kind of interval do the policies run?...
# fleet
s
Hey! On what kind of interval do the policies run? Because I enabled 4 policies yesterday, and I set up a webhook to Splunk, but I don't see the policies being run again or nothing gets through to splunk?
k
Hi @Sebastiaan! Policies run based on the 
osquery_policy_update_interval
, set in Fleet, with the default interval being 90 min. You should only see a webhook trigger when a host is newly failing a policy. https://fleetdm.com/docs/deploying/configuration#osquery-policy-update-interval
s
@Kathy Satterlee thank you for the feedback! So when I have the policy and it already ran once and tagged a few hosts as failing, and I set up the automation afterwards, then that automation won't report those already marked devices, right?
k
What version of Fleet are you running?
In v4.25.0, an endpoint was added to reset the status so that automations will run on all hosts rather than just newly failing: https://fleetdm.com/docs/using-fleet/rest-api#run-automation-for-all-failing-hosts-of-a-policy
s
Oh we are running at v4.30.0
or higher
we deployed, using the helm chart, a little over 2 weeks ago
l
Hi @Sebastiaan! OK if you have 4.30.0 then such 
POST /api/v1/fleet/automations/reset
endpoint that Kathy mentioned should be available. How to trigger such a thing:
Copy code
curl -X POST \
    -H "Authorization: Bearer $API_TOKEN" \
    <https://your-fleet-address/api/latest/fleet/automations/reset> \
    -d '{ "team_ids": [1], "policy_ids": [1, 2, 3] }'
Where 
API_TOKEN
can be retrieved in Fleet via the 
top right icon
-> 
My account
-> 
Get API token
.
3 Views
Open in Slack
PreviousNext
Powered by