Hey there I m running Fleet 3 11 0 and I m trying to configu osquery #fleet

Hey there, I’m running Fleet 3.11.0 and I’m trying...

Ian Muscat

05/13/2021, 3:47 PM

Hey there, I’m running Fleet 3.11.0 and I’m trying to configure Fleet’s FIM options. I noticed that

spec.config.exclude_paths

does not work, but

spec.overrides.platforms.<platform>.exclude_paths

does work. This seems to be inconsistent with

spec.config.file_paths

which seems to work as expected (outside of the

overrides

block). Can anyone else replicate this behaviour, and if so, is this intended behaviour? Thanks!

zwass

05/13/2021, 3:49 PM

Perhaps it's a misunderstanding of how the overrides work? See https://github.com/fleetdm/fleet/blob/master/examples/config-many-files/config.yml#L21-L25. If there's anything in a matching overrides block then the values in the config block would be ignored.

Ian Muscat

05/13/2021, 4:09 PM

Actually my statement about the overrides block working was incorrect. I mis-typed

rhel

🤦. Yep, I’m aware of how overrides work. I still can not get

exclude_paths

to work though, both in overrides and in the global config. Just for the sake of clarity I’ve tried this config:

Copy code

spec:
  config: null
  overrides:
    platforms:
      rhel:
        options:
          disable_audit: false
          disable_events: false
          pack_delimiter: /
          logger_snapshot_event_type: true
        decorators:
          load:
            - select uuid as host_uuid from system_info;
            - select hostname as hostname from system_info;
        file_paths:
          tmp:
            - /tmp/%%
        exclude_paths:
          tmp:
            - /tmp/foo/%%
            - /tmp/tmp.%

Ian Muscat

05/13/2021, 4:12 PM

The following (not using overrides) also doesn’t seem to work for me — i.e. file changes are still being shown in the

file_events

table (even after manually restarting

osqueryd

Copy code

spec:
  config:
    options:
        disable_audit: false
        disable_events: false
        pack_delimiter: /
        logger_snapshot_event_type: true
    decorators:
        load:
        - select uuid as host_uuid from system_info;
        - select hostname as hostname from system_info;
    file_paths:
        tmp:
        - /tmp/%%
    exclude_paths:
        tmp:
        - /tmp/foo/%%
        - /tmp/tmp.%

Noah Talerman

05/13/2021, 6:39 PM

@Ian Muscat for both configurations you’ve shared in this thread, are all other options being applied as expected? Is it only the

exclude_paths

option that is not being applied?

zwass

05/13/2021, 6:43 PM

Can you turn on

--verbose --tls_dump

for this host and verify the config that it receives from Fleet?

Ian Muscat

05/13/2021, 7:48 PM

are all other options being applied as expected

Yep, as far as I can tell. I’ll have a closer look tomorrow to make sure

Can you turn on
--verbose --tls_dump
for this host

I’m assuming you mean as part of the

osqueryd

config, right? Will give this a shot, thanks for the tip!

zwass

05/13/2021, 8:13 PM

Yes, with osqueryd. This will let you see exactly what Fleet is sending and is almost always a helpful debugging step to isolate where the issues might be.

Ian Muscat

05/14/2021, 7:29 AM

Hmm, turning on

--verbose --tls_dump

does show the config being delivered to the host, so maybe this is not a Fleet-related issue after all 🤔. Will have to keep digging, thanks for the help.

3 Views

Open in Slack

Previous Next