https://github.com/osquery/osquery logo
Join Slack
Powered by
Hello testing the file carving functionality. We h...
# fleet
a
Hello testing the file carving functionality. We have the carves going to an S3 bucket but the few I have tested return as 1KB in size. Are there agent option we have to enable?
Copy code
config:
  options:
    logger_plugin: tls
    pack_delimiter: /
    logger_tls_period: 10
    distributed_plugin: tls
    disable_distributed: false
    logger_tls_endpoint: /api/osquery/log
    distributed_interval: 10
    distributed_tls_max_attempts: 3
  decorators:
    load:
      - SELECT uuid AS host_uuid FROM system_info;
      - SELECT hostname AS hostname FROM system_info;
command_line_flags: {} # requires Fleet's osquery installer
This is the default we have.
also is there documentation on all the possible options? tried finding it on osquery docs but not sure where they are at
b
k
There's a good breakdown of the osquery carving flags: https://fleetdm.com/docs/using-fleet/fleetctl-cli#configuration You can check the current settings on your host(s) by running this query from Fleet:
Copy code
SELECT name, default_value, value FROM osquery_flags WHERE name LIKE "%carver%";
@Benjamin Edwards Was quicker on the draw this time 🙂
a
thank you @Benjamin Edwards and @Kathy Satterlee you all are great with the support!
when trying to save, i get this error message
if i remove the logger_plugin, will that affect the agents ability to communicate with the server?
k
Are you using Orbit, or vanilla osquery? 
logger_plugin
is a command-line flag and shouldn't be set through 
config
. osquery has gotten a lot more particular about that of late, so we added some validation on our end. If you're using Orbit, you can set it under `command_line_flags'. All that being said, you shouldn't have any problems if you remove it.
4 Views
Open in Slack
PreviousNext
Powered by