hi fleet team how can i know the options i change in ui is p osquery #fleet

Join Slack

hi fleet team, how can i know the options i change...

# fleet

wennan.he

10/13/2022, 7:09 PM

hi fleet team, how can i know the options i change in ui is pushed to agent side?

Kathy Satterlee

10/13/2022, 7:16 PM

A good way to check is by querying the

osquery_flags

table with Fleet:

SELECT  name, value FROM osquery_flags

Kathy Satterlee

10/13/2022, 7:16 PM

You could include a

WHERE

clause if there was a specific flag you wanted to check.

wennan.he

10/13/2022, 7:20 PM

well, i am confused, you mean all the options i changed in ui is also storing this osquery_flags table?

Kathy Satterlee

10/13/2022, 7:32 PM

What I'm recommending there is querying your hosts using Fleet, not the Fleet database. The response you get back will be the flags that are set on the host.

Kathy Satterlee

10/13/2022, 7:33 PM

So you can set the options you want in the UI, then wait a bit to give the hosts time to check in and get the configuration, then query the hosts to verify that the flags you set are reflected in the response.

wennan.he

10/13/2022, 7:33 PM

yes, i understand, so my question is why i cannot push flags also through fleet ui like disable_events?

Kathy Satterlee

10/13/2022, 7:35 PM

Because osquery does not support setting command-line flags through the

config

plugin.

Kathy Satterlee

10/13/2022, 7:42 PM

And Fleet does not write to your system, so it cannot change startup commands or flag files.

Kathy Satterlee

10/13/2022, 7:44 PM

There is work being done to allow this with Orbit that you may want to keep an eye on! https://github.com/fleetdm/fleet/issues/6851

wennan.he

10/13/2022, 8:30 PM

ok thx 4 explain

Open in Slack

Previous Next