Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
i
Ibra
06/14/2022, 2:09 PMHi, I installed fleet server and generated rpm package for linux and msi package for windows, but once installed I have to go to gui every time and click on "Refresh" to refresh pc data, is it possible to enable auto refresh agent to send data automatically every few minutes?
k
Kathy Satterlee
06/14/2022, 6:19 PMHi, @Ibra! There are several intervals you can set in your configuration. It sounds like you may be looking for the
osquery_detail_update_intervali
Ibra
06/14/2022, 7:26 PMHi @Kathy Satterlee, thanks for your reply, but I used this for server-side installation (https://fleetdm.com/docs/deploying/server-installation#fleet-on-cent-os) and it does not allow me to change parameters, can you tell me how to install it on centos using the source code instead of the Fleet bin file? i used the bin file by downloading the tar.gz and then used fleetctl to generate the packages.
do you know how to install it via source code so I can make all the possible changes?
Do I have to install osquery separately on the server and on the agents? I know it is included in the package that is generated under the name orbit
when i do fleet --help i can see
osquery:
node_key_size: 24
host_identifier: provided
enroll_cooldown: 0s
status_log_plugin: filesystem
result_log_plugin: filesystem
label_update_interval: 1h0m0s
policy_update_interval: 1h0m0s
detail_update_interval: 1h0m0s
status_log_file: ""
result_log_file: ""
enable_log_rotation: false
max_jitter_percent: 10
enable_async_host_processing: "false"
async_host_collect_interval: 30s
async_host_collect_max_jitter_percent: 10
async_host_collect_lock_timeout: 1m0s
async_host_collect_log_stats_interval: 1m0s
async_host_insert_batch: 2000
async_host_delete_batch: 2000
async_host_update_batch: 1000
async_host_redis_pop_count: 1000
async_host_redis_scan_keys_count: 1000
min_software_last_opened_at_diff: 1h0m0sit's correct?
k
Kathy Satterlee
06/14/2022, 8:31 PMYes, that's the Fleet server's osquery configuration. You can apply the configuration values you want to your existing installation using environmental variables:
FLEET_OSQUERY_DETAIL_UPDATE_INTERVAL=30mfleet serve --osquery_detail_update_interval=30m.ymlosquery:
detail_update_interval:30mfleet serve --config <your file>.ymlIf you're using the command specified in that guide to start the server:
/usr/bin/fleet serve \
--mysql_address=127.0.0.1:3306 \
--mysql_database=fleet \
--mysql_username=root \
--mysql_password=toor \
--redis_address=127.0.0.1:6379 \
--server_cert=/tmp/server.cert \
--server_key=/tmp/server.key \
--logging_json/usr/bin/fleet serve \
--mysql_address=127.0.0.1:3306 \
--mysql_database=fleet \
--mysql_username=root \
--mysql_password=toor \
--redis_address=127.0.0.1:6379 \
--server_cert=/tmp/server.cert \
--server_key=/tmp/server.key \
--osquery_detail_update_interval=30m \
--logging_jsonI used 30 minutes in all of my examples, but you can pick the time that works best for you 🙂
i
Ibra
06/15/2022, 7:14 AMthanks, however if I have the variable set to 30 minutes, why do some devices update after 1 hour?
I am going to update the osquery variable by setting 5 minutes and I would like to figure out how to do auto fetch on the server so that it always goes and gets the data from osquery without my access
If I go to change the variable now, does it also take the change for hosts already entered? Do I have to go and regenerate the msi package?