I m using an overrides key in my yaml config for windows cli

Question

I m using an overrides key in my yaml config for windows clients On a test windows machine i m seeing an error line in the osqueryd verbose stdout ```W0207 12 30 36 535475 6440 options cpp 101 Cannot set unknown or invalid flag enable file events``` as well as ```I0207 12 30 47 051750 6440 eventfactory cpp 156 Event publisher not enabled ntfs event publisher NTFS event publisher disabled via configuration I0207 12 30 47 113627 6440 events cpp 70 Skipping subscriber powershell events Required publisher is disabled by configuration``` both of those event publishers are enabled within the overrides section of my config and the `enable file events true` is set outside by overrides key So its fleetDM is not respecting the overrides key

zwass · Answer

Possibly misplaced overrides Can you paste the config redacted if necessary

Ted Dorosheff · Answer

this is what i paste into the agent settings yaml editor ```config options disable events false enable file events true disable distributed false distributed interval 60 decorators load SELECT COALESCE select instance id FROM ec2 instance metadata hostname as hostname FROM system info file paths etc etc group etc passwd etc shadow etc services etc sudoers etc ld so preload etc ld so conf etc ld so conf d etc pam d etc resolv conf etc modules etc hosts etc hostname etc fstab etc rsyslog conf ssh root ssh home ssh etc ssh var lib sia keys var lib sia certs logs var log secure docker etc docker etc default docker etc docker daemon json usr bin containerd usr sbin runc etc sysconfig docker usr lib systemd system docker service usr lib systemd system docker socket osquery etc osquery usr share osquery packs firewalls etc sysconfig iptables home y conf yakl etc yakl conf overrides platforms windows options disable events false enable ntfs event publisher true enable powershell events subscriber true enable windows events publisher true enable windows events subscriber true disable distributed false distributed interval 60 decorators load SELECT COALESCE select instance id FROM ec2 instance metadata hostname as hostname FROM system info file paths Users C Users AppData Roaming C Users AppData Local C Users AppData Local temp C Users AppData Roaming Microsoft Windows Start Menu Programs Startup C Users AppData Roaming Microsoft Windows Start Menu Programs C Users Default Windows C Windows C Windows Temp C Windows System32 Drivers C Windows SysWOW64 Drivers C Windows System32 GroupPolicy Machine Scripts C Windows System32 GroupPolicy User Scripts C Windows System32 Wbem C Windows SysWOW64 Wbem C Windows System32 WindowsPowerShell C Windows SysWOW64 WindowsPowerShell C Windows Tasks C Windows System32 Tasks C Windows AppPatch Custom C Windows system32 DriverStore Temp C Windows system32 wbem Performance C Windows System32 Tasks Adobe Acrobat Update Task C Windows System32 Tasks Adobe Flash Player Updater C Windows System32 Tasks OfficeSoftwareProtectionPlatform SvcRestartTask ProgramData C ProgramData Microsoft Windows Start Menu C ProgramData Microsoft Windows Start Menu Programs ```

Ted Dorosheff · Answer

however once i click update settings the editor moves things around puts single quotes in place of double quotes and also adds the little gt on lines 20 28 31 53 and 60 not sure if any of that matters but this is what the yaml looks like after i update ```config options disable events false enable file events true disable distributed false distributed interval 60 overrides platforms windows options disable events false disable distributed false distributed interval 60 enable ntfs event publisher true enable windows events publisher true enable windows events subscriber true enable powershell events subscriber true decorators load gt SELECT COALESCE select instance id FROM ec2 instance metadata hostname as hostname FROM system info file paths Users C Users AppData Roaming C Users AppData Local C Users AppData Local temp gt C Users AppData Roaming Microsoft Windows Start Menu Programs Startup gt C Users AppData Roaming Microsoft Windows Start Menu Programs C Users Default Windows C Windows C Windows Temp C Windows System32 Drivers C Windows SysWOW64 Drivers C Windows System32 GroupPolicy Machine Scripts C Windows System32 GroupPolicy User Scripts C Windows System32 Wbem C Windows SysWOW64 Wbem C Windows System32 WindowsPowerShell C Windows SysWOW64 WindowsPowerShell C Windows Tasks C Windows System32 Tasks C Windows AppPatch Custom C Windows system32 DriverStore Temp C Windows system32 wbem Performance C Windows System32 Tasks Adobe Acrobat Update Task C Windows System32 Tasks Adobe Flash Player Updater gt C Windows System32 Tasks OfficeSoftwareProtectionPlatform SvcRestartTask ProgramData C ProgramData Microsoft Windows Start Menu C ProgramData Microsoft Windows Start Menu Programs decorators load gt SELECT COALESCE select instance id FROM ec2 instance metadata hostname as hostname FROM system info file paths etc etc group etc passwd etc shadow etc services etc sudoers etc ld so preload etc ld so conf etc ld so conf d etc pam d etc resolv conf etc modules etc hosts etc hostname etc fstab etc rsyslog conf ssh root ssh home ssh etc ssh var lib sia keys var lib sia certs logs var log secure docker etc docker etc default docker etc docker daemon json usr bin containerd usr sbin runc etc sysconfig docker usr lib systemd system docker service usr lib systemd system docker socket osquery etc osquery usr share osquery packs firewalls etc sysconfig iptables home y conf yakl etc yakl conf ```

zwass · Answer

`overrides` needs to be at the same indentation level as `config` not indented

Ted Dorosheff · Answer

ahhhh okay

Ted Dorosheff · Answer

and then everything within overrides follows suit from that indent So like platform is 1 indent from overrides windows would be 1 over from platform etc etc

zwass · Answer

Yes that s right

Ted Dorosheff · Answer

first place medal for you man

Ted Dorosheff · Answer

that fixed it

zwass · Answer

beers