Hi everyone. What is the supported way to control config locally but still register / send results to Fleet? Does this require shifting to the filesystem config_plugin and controlling all packs locally as well, or is there a way to still control packs and queries at Fleet, but the other config locally? More details below. We are testing how how we can set all osquery config at our clients and not have any centrally set at Fleet. For our test we removed these 3 lines from our osquery.flags file:

--config_plugin=tls

--config_tls_endpoint=/api/v1/osquery/config

--config_refresh=3600

We still have the following in osquery.flags

--enroll_secret_path=REDACTED

--tls_hostname=REDACTED

--host_identifier=uuid

--enroll_tls_endpoint=/api/v1/osquery/enroll

--disable_distributed=false

--distributed_plugin=tls

--distributed_interval=60

--distributed_tls_max_attempts=3

--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read

--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write

--logger_plugin=tls

--logger_tls_endpoint=/api/v1/osquery/log

--logger_tls_period=10

-–watchdog_memory_limit=500

I'm seeing some strange stuff in this test environment. The hosts will register to fleet, but if you refresh fleet UI, every 10 - 15 seconds or so the hosts will flap between offline and online. Additionally, we aren't logging ANY query results at fleet for these nodes even though we have a few simple ones scheduled. When I run osquery in debug on these nodes, I see the registration, but no decorators, options, packs or queries. I tried adding back in config_plugin=tls and then started to get a bunch of errors about enrolling too often.

Yeah, I think you have that right. You can't have it both ways with config.

Thanks Zach