Hi all 👋 On a macOS host, are you able to configure osquery params after installation? I attempted to modify

/Library/LaunchDaemons/com.fleetdm.orbit.plist

The file:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "<http://www.apple.com/DTDs/PropertyList-1.0.dtd>">
<plist version="1.0">
<dict>
	<key>EnvironmentVariables</key>
	<dict>
		<key>ORBIT_ENROLL_SECRET_PATH</key>
		<string>/opt/orbit/secret.txt</string>
		<key>ORBIT_FLEET_URL</key>
		<string><https://example.com></string>
		<key>ORBIT_ORBIT_CHANNEL</key>
		<string>stable</string>
		<key>ORBIT_OSQUERYD_CHANNEL</key>
		<string>stable</string>
		<key>ORBIT_UPDATE_URL</key>
		<string><https://example.com></string>
		<key>ORBIT_FLEET_DESKTOP</key>
		<string>true</string>
		<key>ORBIT_DESKTOP_CHANNEL</key>
		<string>stable</string>
		<key>ORBIT_UPDATE_INTERVAL</key>
		<string>15m0s</string>
	</dict>
	<key>KeepAlive</key>
	<true/>
	<key>Label</key>
	<string>com.fleetdm.orbit</string>
	<key>ProgramArguments</key>
	<array>
		<string>/opt/orbit/bin/orbit/orbit</string>
		<string>--</string>
		<string>--disable_events=false</string>
		<string>--enable_file_events</string>
		<string>--disable_endpointsecurity=false</string>
		<string>--disable_endpointsecurity_fim=false</string>
	</array>
	<key>RunAtLoad</key>
	<true/>
	<key>StandardErrorPath</key>
	<string>/var/log/orbit/orbit.stderr.log</string>
	<key>StandardOutPath</key>
	<string>/var/log/orbit/orbit.stdout.log</string>
	<key>ThrottleInterval</key>
	<integer>10</integer>
</dict>
</plist>

Unfortunately adding ProgramArguments and restarting the agent has no effect:

<key>ProgramArguments</key>
	<array>
		<string>/opt/orbit/bin/orbit/orbit</string>
		<string>--</string>
		<string>--disable_events=false</string>
		<string>--enable_file_events</string>
		<string>--disable_endpointsecurity=false</string>
		<string>--disable_endpointsecurity_fim=false</string>
	</array>

I also tried modifying

/opt/orbit/osquery.flag

file that did not work either. I’m newer to fleet/orbit so I may be not understanding what needs to be done at package/built time vs what can be configured at runtime.

i am no expert but you Should be able to configure most in global agent options in fleet UI settings

You are looking to modify the osquery flags, correct? You'd need to build a new orbit installer with fleetctl with the new flags. I hear the Fleet team is working towards being able to centrally manage the osquery flag dynamically, but that feature is no here today.

Hi @Mike M! If you modified the flag file, try running orbit with the flag file path included:

orbit --flagfile=/opt/orbit/osquery.flag

Awesome thank you, I will try that! 🙂