Hi Can someone help me with osquery configuration I m trying osquery #fleet

Hi, Can someone help me with osquery configuration...

Bacarus

05/26/2021, 12:35 PM

Hi, Can someone help me with osquery configuration? I’m trying to modify osquery configuration throught fleet ui -> settings/osquery options if I modify something like logger_tls_period it saves the changes to the server but with more complex yaml cinfigurations it doesn’t work. It doesn’t send the post from the front end and the console gives the error in the screenshot. (Below the yaml configuration)

Bacarus

05/26/2021, 12:36 PM

--- apiVersion: v1 kind: options spec: config: options: logger_plugin: tls pack_delimiter: / logger_tls_period: 10 distributed_plugin: tls disable_distributed: false logger_tls_endpoint: /api/v1/osquery/log distributed_interval: 10 distributed_tls_max_attempts: 3 decorators: load: - SELECT uuid AS host_uuid FROM system_info; - SELECT hostname AS hostname FROM system_info; overrides: {} --- apiVersion: v1 kind: enroll_secret spec: secrets: - active: true name: default secret: RzTlxPvugG4o4O5IKS/HqEDJUmI1hwBoffff - active: true name: new_one secret: reallyworks - active: false name: inactive_secret secret: thissecretwontwork!

Ian Muscat

05/26/2021, 12:59 PM

Not sure about the JS console error, but if you’re editing options via the UI you should ditch the

apiVersion

and

kind

keys.

Copy code

spec:
  config:
    options:
      logger_plugin: tls
      pack_delimiter: /
      logger_tls_period: 10
      distributed_plugin: tls
      disable_distributed: false
      logger_tls_endpoint: /api/v1/osquery/log
      distributed_interval: 10
      distributed_tls_max_attempts: 3
    decorators:
      load:
        - SELECT uuid AS host_uuid FROM system_info;
        - SELECT hostname AS hostname FROM system_info;
  overrides: {}

Also, I don’t think you can set up

enroll_secret

via the same place you set options. You probably need to do this via

fleetctl

➕ 1

🙏 1

Bacarus

05/26/2021, 1:21 PM

so fleet doesn’t allow to change all the settings from ui? even if the logged user is the admin?

Bacarus

05/26/2021, 1:26 PM

By the way with fleetctl I use the command:

./build/fleetctl get options > options.yaml

it sends a GET request to “https://localhost:8080/api/v1/fleet/spec/osquery_options”, can I change the url? (for example I’ve my fleet on localhost:18080)

Noah Talerman

05/26/2021, 1:29 PM

Only the osquery options can be edited on the osquery options page in the Fleet UI. You’ll want to use the above yaml configuration that Ian has provided to successfully edit the osquery options. To create/modify enroll secrets you must create a separate yaml configuration file and use the

fleetctl apply -f <file-name-here>

command. There’s currently no way to modify enroll secrets in the Fleet UI. To change the url that

fleetctl

uses you can use the

fleetctl config set --address localhost:18080

🙏 1

mikermcneil

05/26/2021, 4:19 PM

Looks like Fleet could use a better error message for this scenario, when editing these agent options fails in the UI

👍 1

Noah Talerman

05/26/2021, 4:38 PM

Definitely, in the linked GitHub issue I added…the first step for adding validation in this scenario is to first add better error handling: https://github.com/fleetdm/fleet/issues/289#issuecomment-848928631

ty 1

🎉 1

Open in Slack

Previous Next