Channels
#fleet
Title
# fleet
w
wennan.he
10/13/2022, 10:07 PMany update
i enabled the fim through fleet ui
overrides:
platforms:
all:
file_paths:
etc:
- /etc/osquery/%
exclude_paths:
tmp:
- /tmp/too_many_events/
homes:
- /home/not_to_monitor/.ssh/%%
but it seems not working, and i cannot find any record in file_events after i create or delete any files under /etc/osquery
@Kathy Satterlee could u help on this thread?
k
Kathy Satterlee
10/13/2022, 11:55 PMI'll add an update as soon as I'm able, likely tomorrow morning (I'm in Texas).
I wasn't able to find a way to check that from within Fleet other than to check whether the file events were showing up as expected, so I reached out to the team to verify. There isn't a way to check that from within Fleet since it isn't something that
osqueryYou could run
osqueryd--tls_dumpw
wennan.he
10/14/2022, 12:24 AMok, but how could we debug this issue?
@Kathy Satterlee could u advice?
k
Kathy Satterlee
10/14/2022, 4:45 PMIt looks like you're using
allSELECT platform FROM os_version;w
wennan.he
10/14/2022, 4:59 PMsorry i dont get it, why it wouldn't apply for any hosts?
or how can i let it works out?
k
Kathy Satterlee
10/14/2022, 5:28 PMIt won't apply to any hosts because
alloverridesFor example,
darwinubuntuw
wennan.he
10/14/2022, 6:11 PMwhat about debian?
k
Kathy Satterlee
10/14/2022, 6:27 PMDoes that come back as
platformIt should be
ubuntuw
wennan.he
10/14/2022, 9:42 PMthe screenshot of query result of SELECT platform FROM os_version; So can i say i need to define options and adding debian as new platform?
@Kathy Satterlee
k
Kathy Satterlee
10/14/2022, 11:31 PMExactly!