https://github.com/osquery/osquery logo
Join Slack
Powered by
Hello Guys, I am new to osquery and I was quite im...
# fleet
m
Hello Guys, I am new to osquery and I was quite impressed with fleet and orbit on what they provide with osquery, I am actually into a problem and I don't know if this is really a feature or not, I want to connect my osqueryd on my intel mac,windows,linux to fleetDM on the M1 mac(none of them are not on the same networks),is it possible,if yes then how? Please help me out with this. It would be very helpful of you guys, I am actually unable to understand the 
secret.txt
,
fleet.pem
flagfile.txt
 part as well in this, any help would be appreciated.
m
of course it is possible but why are you using your M1 mac as a fleet server?
m
I mean like I am accessing the GUI from m1 mac, but i won’t be doing that but deploy it on a server online, can you please explain how to connect to remote osqueryd endpoints on other networks to my fleet GUI so it shows up in the GUI?
m
Yea the osquery.flags file specifies what fleet server osqueryd talks to. When you create your fleet server there is an button to attach agents and it gives you the flags file to give to your osqueryd agents
ty 1
m
that’s it? no IP addresses and stuff?
m
That's it! The flags file contains the URL you specified for your fleet server, and of course your URL resolves to an IP by DNS
Here is example osquery.flage file for you. Add your own fleet server URL so osquery knows to talk to your fleet:
Copy code
--audit_allow_config=true
--audit_allow_sockets=true
--audit_allow_process_events=true
--audit_persist=true
--events_optimize=true
--events_max=100000
--events_expiry=900
--disable_events=false
--disable_audit=false
--enable_syslog
--syslog_events_max=50000
--syslog_pipe_path=/var/osquery/syslog_pipe


# Server
--tls_hostname=YourFleetServerURLHere:Port
--tls_server_certs=/etc/osquery/fleet.pem

# Enrollment
--host_identifier=instance
--enroll_secret_path=/etc/osquery/secret.txt
--enroll_tls_endpoint=/api/v1/osquery/enroll

# Configuration
--config_plugin=tls
--config_tls_endpoint=/api/v1/osquery/config
--config_refresh=90

# Live query
--disable_distributed=false
--distributed_plugin=tls
--distributed_interval=95
--distributed_tls_max_attempts=5
--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read
--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write

# Logging
--logger_plugin=tls
--logger_tls_endpoint=/api/v1/osquery/log
--logger_tls_period=5
--osquery_detail_update_interval=45m

# File carving
--disable_carver=false
--carver_start_endpoint=/api/v1/osquery/carve/begin
--carver_continue_endpoint=/api/v1/osquery/carve/block
--carver_block_size=2000000
I've wrote a powershell script that I deploy from my RMM that downloads latest osquery, fleet.pem, secret.txt and osquery.flags onto any machine and it installs osquery and puts those 3 files where they need to be and that's it, it's really that easy.
m
can you please sned that and explains that to me
m
Not really, it's specific to a few things like my RMM, where I'm hosting my files to dl them, etc. so it wouldn't be super useful to you. My point was just to demonstrate how easy deployment is. My script isn't going to make anything easier for you if you don't know how to deploy agents already.
I can try help you if you get stuck with some things, and say I got this error or whatever. But I can't make a full deployment solution for you, for many reasons including it's got to be tailored to your own setup.
So I guess as a very first starting point, have you got fleet server running? No point doing anything until you have fleet running.
m
Oh, please tell me how to deploy a server and how to connect to it, since I am using default admin credentials given to me while setting up fleetDM
m
m
can this be done on a local machine or needs to be done on AWS?GCP / Azure kind of stuff coz I can’t understand the doc properly
m
If you do it local you’re probably going to need to NAT/port forward to get stuff through. Probably easier for you to do it from a cloud host like AWS/Azure
m
Ok
could you explain how you did it brother, coz I am really unable to understand it through doc like can you write your experience of setting a server
m
Follow this link: https://github.com/fleetdm/fleet/blob/main/docs/2-Deploying/1-Installation.md and then step by step if you get stuck on a step let me know and I'll try help
m
See, actually I am unable to have a server right now so what should I do? is there nay spare or default server online to which I can login and check and test for the timebeing?
Also how to cnfigure it through REST API? and like what happens when we connect to osqueryd with rest api, is it same as server client connection or like sending messages or signals to clients ? I just wanted to get an idea about it
m
Mate I dunno how you can put fleet on a server without having access to a server. maybe sign up to a Google cloud or Azure free trial or something? they give you a few hundred dollars worth of credit for a month to try.
3 Views
Open in Slack
PreviousNext
Powered by