https://github.com/osquery/osquery logo
Powered by
Title
e

Edward

04/29/2021, 10:28 PM
can I use the fleet api to fetch results from a scheduled query pack? where can i find documentation on this?
z

zwass

04/30/2021, 12:02 AM
You cannot. Scheduled query results are logged to whatever logging plugin you have configured and are not stored in the Fleet DB.
e

Edward

05/03/2021, 3:21 AM
is this something will may become available in the future? Like in a roadmap?
z

zwass

05/03/2021, 5:26 PM
Depends on what exactly you are looking to achieve. You can store some query results along with a host currently (see https://github.com/fleetdm/fleet/blob/master/docs/1-Using-Fleet/2-fleetctl-CLI.md#fleet-configuration-options). We do not have anything on the roadmap that could compete with Splunk/Elastic as far as storing large amounts of historical data.
n

Noah Talerman

05/04/2021, 6:16 PM
Hi @Edward. When you thought of potentially using the Fleet API to fetch results from a scheduled query pack, what kind of host data were you trying to retrieve?
e

Edward

05/05/2021, 2:42 PM
like os name, version, installed application, kernel version
n

Noah Talerman

05/05/2021, 3:01 PM
Got it. Each host’s os name and os version are available using the 
api/v1/fleet/hosts
endpoint. See the API documentation for this endpoint here: https://github.com/fleetdm/fleet/blob/9fb9da31f5462fa7dda4819a114bbdbc0252c347/docs/1-Using-Fleet/3-REST-API.md#list-hosts Viewing each host’s installed software (I’m assuming this is what you mean by application) was released behind a feature flag in Fleet 3.11.0 and called Software inventory. See the feature flag documentation for instructions on turning on Software inventory in Fleet: https://github.com/fleetdm/fleet/blob/9fb9da31f5462fa7dda4819a114bbdbc0252c347/docs/3-Deployment/2-Configuration.md#feature-flags Once the Software inventory feature is turned on, a list of a specific host’s installed software is available using the 
api/v1/fleet/hosts/{id}
endpoint. See the documentation on this endpoint here: https://github.com/fleetdm/fleet/blob/9fb9da31f5462fa7dda4819a114bbdbc0252c347/docs/1-Using-Fleet/3-REST-API.md#get-host On kernel version: It’s now possible in Fleet to retrieve each host’s kernel version, using the Fleet API, through 
additional_queries
. The Fleet configuration options yaml file includes an 
additional_queries
property that allows you to append custom query results to the host details returned by the 
api/v1/fleet/hosts
endpoint. See an example configuration file with the 
additional_queries
field here: https://github.com/fleetdm/fleet/blob/9fb9da31f5462fa7dda4819a114bbdbc0252c347/docs/1-Using-Fleet/2-fleetctl-CLI.md#fleet-configuration-options
e

Edward

05/06/2021, 10:31 PM
what's the API URL? I see api paths like: 
GET /api/v1/fleet/hosts
but don't I also need the api url? Also where can I find the api key?
I apologize if this is documented somewhere, I wasn't able to find it
n

Noah Talerman

05/06/2021, 10:40 PM
don’t I also need the api url?
Correct! The API URL is dependent on your Fleet web address. For example, if your Fleet web address is https://fleet.acme.org (this is how you would access the Fleet UI) then your API URL will be https://fleet.acme.org/api/v1/fleet/hosts.
Also where can I find the api key?
You can find your API key using the Fleet UI. Select the avatar in the far right of the top navigation and then select “My account” from the dropdown menu. On the My account page, select the “Get API token” in the right side bar.
e

Edward

05/09/2021, 6:25 PM
so I ran a curl command:
curl -H "Authorization: Bearer MY_API_TOKEN_FROM_FLEET_UI_HERE" -X GET '<https://my_fleet_url/api/v1/fleet/hosts>'
but I got the response:
{
  "message": "you are not allowed to access this endpoint",
  "error": true,
  "version": "1.0.2",
  "code": "4310"
}
what could be wrong here?
hmm, it could be because my my_fleeet_url is deployed in prod and may not be reachable from my laptop
z

zwass

05/10/2021, 3:01 PM
Yeah, that doesn't look like an error from Fleet.
3 Views
#fleetJoin Slack
Powered by