https://github.com/osquery/osquery logo
Join Slack
Powered by
any update
# fleet
w
any update
i enabled the fim through fleet ui overrides: platforms: all: file_paths: etc: - /etc/osquery/% exclude_paths: tmp: - /tmp/too_many_events/ homes: - /home/not_to_monitor/.ssh/%% but it seems not working, and i cannot find any record in file_events after i create or delete any files under /etc/osquery
@Kathy Satterlee could u help on this thread?
k
I'll add an update as soon as I'm able, likely tomorrow morning (I'm in Texas).
I wasn't able to find a way to check that from within Fleet other than to check whether the file events were showing up as expected, so I reached out to the team to verify. There isn't a way to check that from within Fleet since it isn't something that 
osquery
stores in a table.
You could run 
osqueryd
with 
--tls_dump
enabled to see the response that's coming from the Fleet server when config is checked.
w
ok, but how could we debug this issue?
@Kathy Satterlee could u advice?
k
It looks like you're using 
all
there for the platform. Overrides are applied to hosts based on the platform that comes back from 
SELECT platform FROM os_version;
, so that override wouldn't apply to any hosts.
w
sorry i dont get it, why it wouldn't apply for any hosts?
or how can i let it works out?
k
It won't apply to any hosts because 
all
is not a platform. You'll need to provide the actual platform you want the 
overrides
to apply to.
For example, 
darwin
for MacOS hosts or 
ubuntu
for Ubuntu hosts. If you aren't sure about the platform, you can run the above query against your hosts to see what pops up!
w
what about debian?
k
Does that come back as 
platform
if you query your hosts?
It should be 
ubuntu
for Ubuntu hosts for example.
w
the screenshot of query result of SELECT platform FROM os_version; So can i say i need to define options and adding debian as new platform?
@Kathy Satterlee
k
Exactly!
2 Views
Open in Slack
PreviousNext
Powered by