Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Aside from the ease of installation, is there any benefit to running the fleet agent vs stock osquery? Anyone have an example of using the secret &amp; flagfile in the osquery systemd unit?

Oh w00t I didn't even know that there was a fleet-agent vs osquery I just been using osquery stock. or is the fleet-osquery produced by orbit?

<@U03EW5M588P> yes I am using stock osquery from the official osquery debian repo on my ubuntu servers and it gets placed in /opt/osquery and my osquery.flags resides in /etc/osquery so does my secret.txt and my fleet.pem (cert to auth with fleet server)

The install automatically makes and enables a systemd service, the unit file located at /lib/systemd/system/osqueryd.service

```[Unit]
Description=The osquery Daemon
After=network.service syslog.service

[Service]
TimeoutStartSec=0
EnvironmentFile=/etc/default/osqueryd
ExecStartPre=/bin/sh -c "if [ ! -f $FLAG_FILE ]; then touch $FLAG_FILE; fi"
ExecStartPre=/bin/sh -c "if [ -f $LOCAL_PIDFILE ]; then mv $LOCAL_PIDFILE $PIDFILE; fi"
ExecStart=/opt/osquery/bin/osqueryd \
  --flagfile $FLAG_FILE \
  --config_path $CONFIG_FILE
Restart=on-failure
KillMode=control-group
KillSignal=SIGTERM
TimeoutStopSec=15
CPUQuota=20%

[Install]
WantedBy=multi-user.target```

from what I canh see in that if you want to specify where is the flag file you set $FLAG_FILE inside /etc/default/osquery but i am not bothering I just place it in /etc/osquery

Automatic updates are another big selling point for using Orbit to manage osquery.

Thank you <@U01DFNXHY92>! :smile: &amp; <@U02KY9FDA59>

I’ll look into Orbit a bit more, currently my plan is to try to decouple osquery as much as possible so that fleet is more used for ad-hoc queries rather than managing the install - we have a very strict installation process, packaging our own RPMs and with a local agent managing install &amp; upgrades across the fleet.