Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
m
Madhur Jodhwani
07/31/2021, 1:36 PMHello Guys, I am new to osquery and I was quite impressed with fleet and orbit on what they provide with osquery, I am actually into a problem and I don't know if this is really a feature or not, I want to connect my osqueryd on my intel mac,windows,linux to fleetDM on the M1 mac(none of them are not on the same networks),is it possible,if yes then how? Please help me out with this. It would be very helpful of you guys, I am actually unable to understand the
secret.txtfleet.pemflagfile.txtm
Mystery Incorporated
07/31/2021, 2:21 PMof course it is possible but why are you using your M1 mac as a fleet server?
m
Madhur Jodhwani
07/31/2021, 3:00 PMI mean like I am accessing the GUI from m1 mac, but i won’t be doing that but deploy it on a server online, can you please explain how to connect to remote osqueryd endpoints on other networks to my fleet GUI so it shows up in the GUI?
m
Mystery Incorporated
08/01/2021, 4:35 AMYea the osquery.flags file specifies what fleet server osqueryd talks to. When you create your fleet server there is an button to attach agents and it gives you the flags file to give to your osqueryd agents
:ty: 1
m
Madhur Jodhwani
08/01/2021, 7:45 AMthat’s it? no IP addresses and stuff?
m
Mystery Incorporated
08/01/2021, 11:08 AMThat's it! The flags file contains the URL you specified for your fleet server, and of course your URL resolves to an IP by DNS
Here is example osquery.flage file for you. Add your own fleet server URL so osquery knows to talk to your fleet:
--audit_allow_config=true
--audit_allow_sockets=true
--audit_allow_process_events=true
--audit_persist=true
--events_optimize=true
--events_max=100000
--events_expiry=900
--disable_events=false
--disable_audit=false
--enable_syslog
--syslog_events_max=50000
--syslog_pipe_path=/var/osquery/syslog_pipe
# Server
--tls_hostname=YourFleetServerURLHere:Port
--tls_server_certs=/etc/osquery/fleet.pem
# Enrollment
--host_identifier=instance
--enroll_secret_path=/etc/osquery/secret.txt
--enroll_tls_endpoint=/api/v1/osquery/enroll
# Configuration
--config_plugin=tls
--config_tls_endpoint=/api/v1/osquery/config
--config_refresh=90
# Live query
--disable_distributed=false
--distributed_plugin=tls
--distributed_interval=95
--distributed_tls_max_attempts=5
--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read
--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write
# Logging
--logger_plugin=tls
--logger_tls_endpoint=/api/v1/osquery/log
--logger_tls_period=5
--osquery_detail_update_interval=45m
# File carving
--disable_carver=false
--carver_start_endpoint=/api/v1/osquery/carve/begin
--carver_continue_endpoint=/api/v1/osquery/carve/block
--carver_block_size=2000000I've wrote a powershell script that I deploy from my RMM that downloads latest osquery, fleet.pem, secret.txt and osquery.flags onto any machine and it installs osquery and puts those 3 files where they need to be and that's it, it's really that easy.
m
Madhur Jodhwani
08/01/2021, 1:56 PMcan you please sned that and explains that to me
m
Mystery Incorporated
08/01/2021, 5:48 PMNot really, it's specific to a few things like my RMM, where I'm hosting my files to dl them, etc. so it wouldn't be super useful to you. My point was just to demonstrate how easy deployment is. My script isn't going to make anything easier for you if you don't know how to deploy agents already.
I can try help you if you get stuck with some things, and say I got this error or whatever. But I can't make a full deployment solution for you, for many reasons including it's got to be tailored to your own setup.
So I guess as a very first starting point, have you got fleet server running? No point doing anything until you have fleet running.
m
Madhur Jodhwani
08/02/2021, 4:32 AMOh, please tell me how to deploy a server and how to connect to it, since I am using default admin credentials given to me while setting up fleetDM
m
Mystery Incorporated
08/02/2021, 5:02 AMHere is instructions to install a fleet server https://github.com/fleetdm/fleet/blob/main/docs/2-Deploying/1-Installation.md
:ty: 1
m
Madhur Jodhwani
08/02/2021, 5:46 AMcan this be done on a local machine or needs to be done on AWS?GCP / Azure kind of stuff coz I can’t understand the doc properly
m
Mystery Incorporated
08/02/2021, 9:34 AMIf you do it local you’re probably going to need to NAT/port forward to get stuff through. Probably easier for you to do it from a cloud host like AWS/Azure
m
Madhur Jodhwani
08/02/2021, 9:51 AMOk
could you explain how you did it brother, coz I am really unable to understand it through doc like can you write your experience of setting a server
m
Mystery Incorporated
08/02/2021, 1:50 PMFollow this link: https://github.com/fleetdm/fleet/blob/main/docs/2-Deploying/1-Installation.md and then step by step if you get stuck on a step let me know and I'll try help
m
Madhur Jodhwani
08/03/2021, 4:04 AMSee, actually I am unable to have a server right now so what should I do? is there nay spare or default server online to which I can login and check and test for the timebeing?
Also how to cnfigure it through REST API? and like what happens when we connect to osqueryd with rest api, is it same as server client connection or like sending messages or signals to clients ? I just wanted to get an idea about it
m
Mystery Incorporated
08/06/2021, 4:23 AMMate I dunno how you can put fleet on a server without having access to a server. maybe sign up to a Google cloud or Azure free trial or something? they give you a few hundred dollars worth of credit for a month to try.