The Software Inventory functionality only lists the host's sofware? Where I can see related CVE's? Do i need to set the databases_path variable? I'm using environmental variables, how can I set it that way?

you need to set the databases path, please follow the documentation to enable vulnerability checks: https://github.com/fleetdm/fleet/blob/main/docs/1-Using-Fleet/13-Vulnerability-Processing.md

I'm not setting my configuration via a conf file, I'm using environmental variables. Can I do it that way? (I'm using Docker)

not for vulnerabilities, only for software inventory

Ok, did you know where the config file is in the docker image? I don't have the config file mapped so I can't set that variable

you would apply it through fleetctl with

fleetctl apply -f yourconfig.yml

Ok, aplying

docs/1-Using-Fleet/configuration-files/multi-file-configuration/organization-settings.yml

should be enough?

if you just want to set these two things, the config you need is this:

---
apiVersion: v1
kind: config
spec:
  host_settings:
    enable_software_inventory: true
  vulnerability_settings:
    databases_path: /tmp/vulndbs

as mentioned in the docs. The other is a more complete example

I don't see the info being updated on the web

did you restart

fleet

? if so, please share the logs. It checks every hour, it takes an hour to do the first check

Yep, I've restart it. The check time is related to FLEET_OSQUERY_LABEL_UPDATE_INTERVAL or FLEET_OSQUERY_DETAIL_UPDATE_INTERVAL? Because I've changed that time

no, the check time is fixed at 1hr

Ok, I will check again after 1 hour and return if I see any issue. Thanks

correct, you'll see it above the software and with a mark next to each app that's detected

Hello again, I've see that a bunch of files were downloaded on the folder but the software inventory table remains the same

what does "the same" mean? empty?

Sorry, I meant no extra info, just the software name and version, still don't seeing any CVE related.

the cve data is stored in software_cve, the cpe data is stored in software_cve. You would see any CVE data when you list hosts either through fleetctl or through the web

Both tables are empty. I don't see any CVE data when I'm listing the hosts or viewing the Host info

could you share the logs for fleet?

What kind of logs? (result.log or status.log) There are many logs of my private hosts and queries (packs)

the logs of the fleet server itself

Sorry, there's a clean way to do it? I have my Docker container but it's overflooding with logs since it logs almost everything. Any kind of log or message in particular?

anything that contains

component=crons cron=vulnerabilities

Ok, i'll look into it. Thanks

hi Esteban, could you share your fleet server logs?

I was filtering by keyword "vuln" and no found no logs. I can't share all my logs since there's private information.

you should have seen at least 1 log that matches that, no matter whether you configured right or wrong, or it failed in unexpected ways

Mmm... There's a log file for that? My container is flooding the terminal with logs so it's kind of difficult to track specific logs. I've got result.log and status.log file logs.

fleet serve logs to stderr, result and status logs are for osquery