https://github.com/osquery/osquery logo
Join Slack
Powered by
Hi all, It is not clear to me how should I write t...
# fleet
b
Hi all, It is not clear to me how should I write the configuration file (option.yml) used by 
fleetctl apply -f
. For example if I wanna change 
osquery_status_log_plugin
I can see in the docs the config file format:
Copy code
osquery:
  status_log_plugin: firehouse
How should I write config file for fleetctl? I’ve tried something like:
Copy code
---
apiVersion: v1
kind: options
spec:
  osquery:
    status_log_plugin: stdout
but nothing changed
m
I believe this doc will help you. Essentially, you may have to follow the 
yaml
format for 
kind: config
. Let us know how that works out.
One note: If you are attempting to change the options, you may want to check out this doc on how to configure the fleet server.
b
@Martavis Parker This is my option.yaml:
Copy code
---
apiVersion: v1
kind: config
spec:
  osquery:
    result_log_plugin: stdout
the command (after the fleetctl configuration and login) is this one: 
fleetctl apply -f ./option.yaml
it says: 
[+] applied fleet config
But fleet doesn’t logs on the stdout, it uses the previous configuration. Another usecase: I’ve also tried to start fleet with stdout plugin but when I try to change it into filesystem or firehose plugin through fleetctl command fleet still write the logs with the previous plugin (= stdout in this usecase) Note: I’m using fleet 3.11
Reading the code the logging service creates a new instance of FilesystemLogWriter at the start of fleet (same with Firehose, stdout etc). Maybe when fleet is running I can’t change the plugin, is it possible?
t
Hi Bacarus, to configure 
result_log_plugin
you need to set it in the config for fleet server, not through fleetctl. Here's a few examples: https://github.com/fleetdm/fleet/blob/main/docs/2-Deploying/2-Configuration.md#using-a-config-file, you would add a 
osquery:
section and inside it you would set 
result_log_plugin
3 Views
Open in Slack
PreviousNext
Powered by