https://github.com/osquery/osquery logo
Powered by
#fleet
Title
w

wennan.he

10/13/2022, 7:09 PM
hi fleet team, how can i know the options i change in ui is pushed to agent side?
k

Kathy Satterlee

10/13/2022, 7:16 PM
A good way to check is by querying the 
osquery_flags
table with Fleet: 
SELECT  name, value FROM osquery_flags
You could include a 
WHERE
clause if there was a specific flag you wanted to check.
w

wennan.he

10/13/2022, 7:20 PM
well, i am confused, you mean all the options i changed in ui is also storing this osquery_flags table?
k

Kathy Satterlee

10/13/2022, 7:32 PM
What I'm recommending there is querying your hosts using Fleet, not the Fleet database. The response you get back will be the flags that are set on the host.
So you can set the options you want in the UI, then wait a bit to give the hosts time to check in and get the configuration, then query the hosts to verify that the flags you set are reflected in the response.
w

wennan.he

10/13/2022, 7:33 PM
yes, i understand, so my question is why i cannot push flags also through fleet ui like disable_events?
k

Kathy Satterlee

10/13/2022, 7:35 PM
Because osquery does not support setting command-line flags through the 
config
plugin.
And Fleet does not write to your system, so it cannot change startup commands or flag files.
There is work being done to allow this with Orbit that you may want to keep an eye on! https://github.com/fleetdm/fleet/issues/6851
w

wennan.he

10/13/2022, 8:30 PM
ok thx 4 explain
Powered by