https://github.com/osquery/osquery logo
Join Slack
Powered by
can I use the fleet api to fetch results from a sc...
# fleet
e
can I use the fleet api to fetch results from a scheduled query pack? where can i find documentation on this?
z
You cannot. Scheduled query results are logged to whatever logging plugin you have configured and are not stored in the Fleet DB.
e
is this something will may become available in the future? Like in a roadmap?
z
Depends on what exactly you are looking to achieve. You can store some query results along with a host currently (see https://github.com/fleetdm/fleet/blob/master/docs/1-Using-Fleet/2-fleetctl-CLI.md#fleet-configuration-options). We do not have anything on the roadmap that could compete with Splunk/Elastic as far as storing large amounts of historical data.
n
Hi @Edward. When you thought of potentially using the Fleet API to fetch results from a scheduled query pack, what kind of host data were you trying to retrieve?
e
like os name, version, installed application, kernel version
n
Got it. Each host’s os name and os version are available using the 
api/v1/fleet/hosts
endpoint. See the API documentation for this endpoint here: https://github.com/fleetdm/fleet/blob/9fb9da31f5462fa7dda4819a114bbdbc0252c347/docs/1-Using-Fleet/3-REST-API.md#list-hosts Viewing each host’s installed software (I’m assuming this is what you mean by application) was released behind a feature flag in Fleet 3.11.0 and called Software inventory. See the feature flag documentation for instructions on turning on Software inventory in Fleet: https://github.com/fleetdm/fleet/blob/9fb9da31f5462fa7dda4819a114bbdbc0252c347/docs/3-Deployment/2-Configuration.md#feature-flags Once the Software inventory feature is turned on, a list of a specific host’s installed software is available using the 
api/v1/fleet/hosts/{id}
endpoint. See the documentation on this endpoint here: https://github.com/fleetdm/fleet/blob/9fb9da31f5462fa7dda4819a114bbdbc0252c347/docs/1-Using-Fleet/3-REST-API.md#get-host On kernel version: It’s now possible in Fleet to retrieve each host’s kernel version, using the Fleet API, through 
additional_queries
. The Fleet configuration options yaml file includes an 
additional_queries
property that allows you to append custom query results to the host details returned by the 
api/v1/fleet/hosts
endpoint. See an example configuration file with the 
additional_queries
field here: https://github.com/fleetdm/fleet/blob/9fb9da31f5462fa7dda4819a114bbdbc0252c347/docs/1-Using-Fleet/2-fleetctl-CLI.md#fleet-configuration-options
e
what's the API URL? I see api paths like: 
GET /api/v1/fleet/hosts
but don't I also need the api url? Also where can I find the api key?
I apologize if this is documented somewhere, I wasn't able to find it
n
don’t I also need the api url?
Correct! The API URL is dependent on your Fleet web address. For example, if your Fleet web address is https://fleet.acme.org (this is how you would access the Fleet UI) then your API URL will be https://fleet.acme.org/api/v1/fleet/hosts.
Also where can I find the api key?
You can find your API key using the Fleet UI. Select the avatar in the far right of the top navigation and then select “My account” from the dropdown menu. On the My account page, select the “Get API token” in the right side bar.
e
so I ran a curl command:
Copy code
curl -H "Authorization: Bearer MY_API_TOKEN_FROM_FLEET_UI_HERE" -X GET '<https://my_fleet_url/api/v1/fleet/hosts>'
but I got the response:
Copy code
{
  "message": "you are not allowed to access this endpoint",
  "error": true,
  "version": "1.0.2",
  "code": "4310"
}
what could be wrong here?
hmm, it could be because my my_fleeet_url is deployed in prod and may not be reachable from my laptop
z
Yeah, that doesn't look like an error from Fleet.
3 Views
Open in Slack
PreviousNext
Powered by