Hello testing the file carving functionality. We have the carves going to an S3 bucket but the few I have tested return as 1KB in size. Are there agent option we have to enable?

config:
  options:
    logger_plugin: tls
    pack_delimiter: /
    logger_tls_period: 10
    distributed_plugin: tls
    disable_distributed: false
    logger_tls_endpoint: /api/osquery/log
    distributed_interval: 10
    distributed_tls_max_attempts: 3
  decorators:
    load:
      - SELECT uuid AS host_uuid FROM system_info;
      - SELECT hostname AS hostname FROM system_info;
command_line_flags: {} # requires Fleet's osquery installer

This is the default we have.

https://fleetdm.com/docs/using-fleet/fleetctl-cli#carver-block-size For S3 the block size needs to be 5MB

There's a good breakdown of the osquery carving flags: https://fleetdm.com/docs/using-fleet/fleetctl-cli#configuration You can check the current settings on your host(s) by running this query from Fleet:

SELECT name, default_value, value FROM osquery_flags WHERE name LIKE "%carver%";

thank you @Benjamin Edwards and @Kathy Satterlee you all are great with the support!

Are you using Orbit, or vanilla osquery?

logger_plugin

is a command-line flag and shouldn't be set through

config

. osquery has gotten a lot more particular about that of late, so we added some validation on our end. If you're using Orbit, you can set it under `command_line_flags'. All that being said, you shouldn't have any problems if you remove it.