Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
s
Saliaga
09/23/2021, 5:57 PMJust checking to see if my steps are correct so far:
1. After Creating a bundle using fleetctl package
2. Installing Debian package and enabling service
3. Confirming host was enrolled into Fleet through the console
4. Was able to run one off queries from the Fleet web console
After running the queries, there are no entries within osqueryd.results.log on the endpoint? Would I need to package in some osqueryd.flags to configure logging?
Should the results of the queries from the Fleet web console be saved under /logs/osqueryd.results.log (This is logging location set within the docker-compose file)? As mine seems to be empty
r
Rachel Perkins
09/23/2021, 7:23 PMHi @Saliaga, great question! So your queries aren't automatically saved in a file unless you manually save them or they're scheduled. I think this FAQ should be helpful: https://fleetdm.com/docs/using-fleet/faq#where-are-my-query-results Let us know if you have more questions!
🙌 1
s
Saliaga
09/23/2021, 7:51 PMThank you @Rachel Perkins
@Rachel Perkins So would it be common practice to schedule queries and export them from the Fleet server rather then exporting on each independent endpoint?
r
Rachel Perkins
09/23/2021, 8:43 PMDepending on what you're trying to do. Schedules is definitely better if you want a snapshot of all your hosts. You can also change the logging type, interval, etc so you don't end up with too much unwanted data
👍 1