https://github.com/osquery/osquery logo
Powered by
#fleet
Title
# fleet
b

Bacarus

05/26/2021, 12:35 PM
Hi, Can someone help me with osquery configuration? I’m trying to modify osquery configuration throught fleet ui -> settings/osquery options if I modify something like logger_tls_period it saves the changes to the server but with more complex yaml cinfigurations it doesn’t work. It doesn’t send the post from the front end and the console gives the error in the screenshot. (Below the yaml configuration)
--- apiVersion: v1 kind: options spec: config: options: logger_plugin: tls pack_delimiter: / logger_tls_period: 10 distributed_plugin: tls disable_distributed: false logger_tls_endpoint: /api/v1/osquery/log distributed_interval: 10 distributed_tls_max_attempts: 3 decorators: load: - SELECT uuid AS host_uuid FROM system_info; - SELECT hostname AS hostname FROM system_info; overrides: {} --- apiVersion: v1 kind: enroll_secret spec: secrets: - active: true name: default secret: RzTlxPvugG4o4O5IKS/HqEDJUmI1hwBoffff - active: true name: new_one secret: reallyworks - active: false name: inactive_secret secret: thissecretwontwork!
i

Ian Muscat

05/26/2021, 12:59 PM
Not sure about the JS console error, but if you’re editing options via the UI you should ditch the 
apiVersion
and 
kind
keys.
Copy code
spec:
  config:
    options:
      logger_plugin: tls
      pack_delimiter: /
      logger_tls_period: 10
      distributed_plugin: tls
      disable_distributed: false
      logger_tls_endpoint: /api/v1/osquery/log
      distributed_interval: 10
      distributed_tls_max_attempts: 3
    decorators:
      load:
        - SELECT uuid AS host_uuid FROM system_info;
        - SELECT hostname AS hostname FROM system_info;
  overrides: {}
Also, I don’t think you can set up 
enroll_secret
via the same place you set options. You probably need to do this via 
fleetctl
1
🙏 1
b

Bacarus

05/26/2021, 1:21 PM
so fleet doesn’t allow to change all the settings from ui? even if the logged user is the admin?
By the way with fleetctl I use the command: 
./build/fleetctl get options > options.yaml
it sends a GET request to “https://localhost:8080/api/v1/fleet/spec/osquery_options”, can I change the url? (for example I’ve my fleet on localhost:18080)
n

Noah Talerman

05/26/2021, 1:29 PM
Only the osquery options can be edited on the osquery options page in the Fleet UI. You’ll want to use the above yaml configuration that Ian has provided to successfully edit the osquery options. To create/modify enroll secrets you must create a separate yaml configuration file and use the 
fleetctl apply -f <file-name-here>
command. There’s currently no way to modify enroll secrets in the Fleet UI. To change the url that 
fleetctl
uses you can use the 
fleetctl config set --address localhost:18080
🙏 1
m

mikermcneil

05/26/2021, 4:19 PM
Looks like Fleet could use a better error message for this scenario, when editing these agent options fails in the UI
👍 1
n

Noah Talerman

05/26/2021, 4:38 PM
Definitely, in the linked GitHub issue I added…the first step for adding validation in this scenario is to first add better error handling: https://github.com/fleetdm/fleet/issues/289#issuecomment-848928631
ty 1
🎉 1
Powered by