Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
a
arod
03/31/2021, 1:38 PMHey folks. Right now we are using Fleet (fleetdm) and the regular Osquery.
What are the benefits to switching over to "Orbit osquery". I tried looking for some docs but couldn't find any.
w
wkleinhenz
03/31/2021, 1:55 PMorbit is pretty new so that might be why the docs are lacking rn, id look at launcher for the time being
g
Gavin
03/31/2021, 1:55 PMI believe the target audience for Orbit is as an alternative for kolide/launcher and something to help reduce the management overhead of vanilla OSquery config management using a sidecar for those who don’t feel comfortable with traditional Config Management.
For example, people use launcher as a quick way of deploying OSquery and getting machines enrolled in the server but now their use case grows and they want to use additional extensions or use advanced runtime flags that is genuinely a PITA with launcher also the fact is uses GRPC as a transport mechanism can also introduce breaking behaviours over vanilla.
My personal OSquery tech journey was as follows.
• Doorman + OSquery + Puppet
• Fleet + OSquery + Puppet
• Fleet + Launcher
• Kolide SAAS + Launcher
• Fleet + Launcher
• Fleet + OSquery + Puppet
We may use orbit in the future since we don’t own puppet.
a
arod
03/31/2021, 2:27 PMThank you!
If I'm understanding things correctly, I can auto update my osquery agents with either launcher or orbit? All remotely?
Have not used either. I would prefer orbit since it's created for fleetdm fleet usage.
@Gavin
@wkleinhenz
The kolide website says this...
That's why we built Kolide Launcher, an open-source project aimed to remove the hurdles of installing, updating and using osquery at scale.g
Gavin
03/31/2021, 2:42 PMyes orbit will auto update based upon a release channel and promotion level managed by the FleetDM team if you want to host / manage your own auto update frequency it will be a pro feature AFAIk.
a
arod
03/31/2021, 2:46 PMOooo. That is good to know @Gavin
Thanks.
z
zwass
03/31/2021, 3:25 PMYeah thanks Gavin doing my job for me! Orbit is quite new and we do need to further document the motivations. There will be more features coming in Fleet that will be supported only by Orbit, though we expect Launcher to remain compatible. (I wrote substantial portions of Launcher and basically all of Orbit).
If you need something that has Windows support and is production ready today, I would recommend Launcher. If you can wait/help test while we stabilize things in Orbit over the next few weeks then I'd definitely go with Orbit -- will save you a migration later when you want to take advantage of the new features offered by Orbit.
r
Ryan
03/31/2021, 5:01 PMWill it support custom extensions as vanilla osquery does?
(just reading the website, looks interesting!)
z
zwass
03/31/2021, 5:03 PMYes, Orbit currently lets you set any osquery flags you like, including to set up extensions. The packaging tooling doesn't currently bundle additional files such as extensions but you could make your own package that did so. Definitely planning to add that support though.
👍 1
Our self-managed update server functionality coming to the paid product will also support updating custom extensions.
a
arod
04/02/2021, 10:20 PMAwesome. Thank you.