What is the best way to write a yaml config in fleetDM, which will include

file_paths

definitions for mac, linux and windows clients? Could the config simply include all of the file paths, and whatever cannot be found on the client side will simply be skipped? such as:

"file_paths": {
    "linux": [
      "/root/.ssh/%%",
      "/home/%/.ssh/%%"
    ],
    "windows": [
      "C:\\Windows\\Temp\\",
      "C:\\Windows\\Tasks\\"
    ],
    "mac": [
      "/Library/",
      "/Applications/"
    ]
  },
  "exclude_paths": {
    "linux": [
      "/home/not_to_monitor/.ssh/%%"
    ],
    "windows": [
      "/tmp/too_many_events/"
    ],
    "mac": [
     "/Applications/too_man_events/"
    ]
  }
}

Or should the

platform

key be used? If so, how would that look? So far all the examples i'm seeing in docs include the

platform

key within a `query`or

packs

section, and we're trying to manage both queries and functions outside of Settings>yaml in FleetDM. Thanks

Hi Ted! As far as I can see, yes, you'll need to do the override for each platform in the agent options yaml, see the following example https://github.com/fleetdm/fleet/tree/main/docs/01-Using-Fleet/configuration-files#agent-options

oh wow, the fleetDM github... idk how i havent tapped into this resource yet. Thats a great article. Looks like they are using a single overrides section, with multiple platforms defined within it. This clears up a bit of confusion i had; each platform does not get it's own override section, but is just referenced in one override section. So a bit of context: i've recently inherited management of our osquery/fleetDM deployment. The current yaml config (written by the previous owner, and which has a single small override section, defining only windows file_paths) isn't working on my windows test vm. And by that i mean, ntfs_journal_events is not being populated by events, even after making changes to directories on the vm which are listed in the yaml

file_paths

. However, when i wrote my own osquery.conf file (which you helped me with the other day) and loaded it via filesystem plugin, i was able to generate test events and see them in the ntfs_journal_events. I dont think the yaml config in fleetDM is syntactically incorrect, because fleetDM tells me when it's not. However, in the config (and this somewhat alludes to my comment about managing queries/packs outside of the yaml config) there are no query statements. All of our queries are in /queries/manage of the fleetDM ui.

config:
  options:
    events_expiry: 60
    config_refresh: 600
    host_identifier: instance
    distributed_interval: 60
  overrides:
    platforms:
      windows:
        options:
          events_expiry: 60
          config_refresh: 600
          host_identifier: instance
          distributed_interval: 60
        decorators:
          load:
            - >-
              SELECT COALESCE((select instance_id FROM ec2_instance_metadata),
              hostname) as hostname FROM system_info;
        file_paths:
          users:
            - 'C:\Users\%\AppData\Roaming\%'
            - 'C:\Users\%\AppData\Local\%'
            - 'C:\Users\%\AppData\Local\temp\%'
            - >-
              C:\Users\%\AppData\Roaming\Microsoft\Windows\Start
              Menu\Programs\Startup\%
            - 'C:\Users\%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\%'
            - 'C:\Users\%\Default\%'
          windows:
            - 'C:\Windows\%'
            - 'C:\Windows\Temp\%'
            - 'C:\Windows\System32\Drivers\%'
            - 'C:\Windows\SysWOW64\Drivers\%'
            - 'C:\Windows\System32\GroupPolicy\Machine\Scripts\%'
            - 'C:\Windows\System32\GroupPolicy\User\Scripts\%'
            - 'C:\Windows\System32\Wbem\%'
            - 'C:\Windows\SysWOW64\Wbem\%'
            - 'C:\Windows\System32\WindowsPowerShell\%'
            - 'C:\Windows\SysWOW64\WindowsPowerShell\%'
            - 'C:\Windows\Tasks\%'
            - 'C:\Windows\System32\Tasks\%'
            - 'C:\Windows\AppPatch\Custom\%'
          ProgramData:
            - 'C:\ProgramData\Microsoft\Windows\Start Menu\%'
            - 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\%'
        exclude_paths:
          windows:
            - 'C:\Windows\system32\DriverStore\Temp\%'
            - 'C:\Windows\system32\wbem\Performance\%'
            - 'C:\Windows\System32\Tasks\Adobe Acrobat Update Task\%'
            - 'C:\Windows\System32\Tasks\Adobe Flash Player Updater\%'
            - >-
              C:\Windows\System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask\%
  decorators:
    load:
      - >-
        SELECT COALESCE((select instance_id FROM ec2_instance_metadata),
        hostname) as hostname FROM system_info;
  file_paths:
    etc:
      - /etc/group
      - /etc/passwd
      - /etc/shadow
      - /etc/services
      - /etc/sudoers
      - /etc/ld.so.preload
      - /etc/ld.so.conf
      - /etc/ld.so.conf.d/%%
      - /etc/pam.d/%%
      - /etc/resolv.conf
      - /etc/modules
      - /etc/hosts
      - /etc/hostname
      - /etc/fstab
      - /etc/rsyslog.conf
    ssh:
      - /root/.ssh/%%
      - /home/%/.ssh/%%
      - /etc/ssh/%%
      - /var/lib/sia/keys/
      - /var/lib/sia/certs/
    logs:
      - /var/log/secure
    docker:
      - /etc/docker/%%
      - /etc/default/docker
      - /etc/docker/daemon.json
      - /usr/bin/containerd
      - /usr/sbin/runc
      - /etc/sysconfig/docker
      - /usr/lib/systemd/system/docker.service
      - /usr/lib/systemd/system/docker.socket
    osquery:
      - /etc/osquery/%%
      - /usr/share/osquery/packs/%%
    firewalls:
      - /etc/sysconfig/iptables
      - /home/y/conf/yakl/%%
      - /etc/yakl/conf/%%

Should there be a scheduled

"query": "select * from ntfs_journal_events;"

in the yaml config? We thought that it would be easier to manage queries/packs using the UI in fleetDM, and to leave the yaml config to only define

file_paths

`decorators`and other options.

@Ted Dorosheff Sorry for the delay. Packs and queries won't show up in the Fleet config YAML. Queries and packs are visible/configurable from/via the UI and also via the command line with

fleetctl apply

. Let me know if this makes sense.