Ian Muscat
05/13/2021, 3:47 PMspec.config.exclude_paths
does not work, but spec.overrides.platforms.<platform>.exclude_paths
does work. This seems to be inconsistent with spec.config.file_paths
which seems to work as expected (outside of the overrides
block). Can anyone else replicate this behaviour, and if so, is this intended behaviour? Thanks!zwass
05/13/2021, 3:49 PMIan Muscat
05/13/2021, 4:09 PMrhel
🤦.
Yep, I’m aware of how overrides work. I still can not get exclude_paths
to work though, both in overrides and in the global config. Just for the sake of clarity I’ve tried this config:
spec:
config: null
overrides:
platforms:
rhel:
options:
disable_audit: false
disable_events: false
pack_delimiter: /
logger_snapshot_event_type: true
decorators:
load:
- select uuid as host_uuid from system_info;
- select hostname as hostname from system_info;
file_paths:
tmp:
- /tmp/%%
exclude_paths:
tmp:
- /tmp/foo/%%
- /tmp/tmp.%
file_events
table (even after manually restarting osqueryd
).
spec:
config:
options:
disable_audit: false
disable_events: false
pack_delimiter: /
logger_snapshot_event_type: true
decorators:
load:
- select uuid as host_uuid from system_info;
- select hostname as hostname from system_info;
file_paths:
tmp:
- /tmp/%%
exclude_paths:
tmp:
- /tmp/foo/%%
- /tmp/tmp.%
Noah Talerman
05/13/2021, 6:39 PMexclude_paths
option that is not being applied?zwass
05/13/2021, 6:43 PM--verbose --tls_dump
for this host and verify the config that it receives from Fleet?Ian Muscat
05/13/2021, 7:48 PMare all other options being applied as expectedYep, as far as I can tell. I’ll have a closer look tomorrow to make sure
Can you turn onI’m assuming you mean as part of thefor this host--verbose --tls_dump
osqueryd
config, right? Will give this a shot, thanks for the tip!zwass
05/13/2021, 8:13 PMIan Muscat
05/14/2021, 7:29 AM--verbose --tls_dump
does show the config being delivered to the host, so maybe this is not a Fleet-related issue after all 🤔. Will have to keep digging, thanks for the help.