https://github.com/osquery/osquery logo
Powered by
Title
e

Esteban

02/03/2021, 8:33 PM
Hi, there's any way to export Query Packs (along with its queries) ?
n

Noah Talerman

02/03/2021, 9:18 PM
Hi, the Exporting All Queries and Packs section of this blog post provides helpful instructions for achieving this using 
fleetctl
e

Esteban

02/04/2021, 1:00 PM
Thank you, i'll try it
I didn't say anything about exporting, just how you can list the Packs or Queries on the system
n

Noah Talerman

02/04/2021, 6:11 PM
Hi, you’re totally right. Once you have the pack names you can get each individual pack in YAML config format with the command 
fleetctl get p <insert_pack_name>
. This will output the properly formatted config in the terminal. There’s currently no way to get the YAML config for multiple query packs in one command.
For your use case, why would you like to be able to export Query Packs?
e

Esteban

02/05/2021, 1:49 PM
Yes but 
fleetctl get p <insert_pack_name>
will not list the queries in the pack, only the names. In any case im trying to migrate from kolide/fleet to fleetdm/fleet with a clean database
It will be nice to list the query pack along with associated queries
n

Noah Talerman

02/05/2021, 4:15 PM
im trying to migrate from kolide/fleet to fleetdm/fleet with a clean database
Got it. Yes you’re correct that only the names of the queries are listed and this doesn’t help you in your migration efforts.
These are the multiple steps that I believe will help you achieve your use case of migrating query packs along with queries to your new install of Fleet: 1. With your kolide/fleet instance running, run 
fleetctl get queries --yaml
. This will output a list of queries in YAML format. Copy this list into a new file called something like 
queries.yml
2. With your kolide/fleet instance running, run 
fleetctl get packs --yaml
. This will output a list of query packs in YAML format. Copy this into a new file called something like 
packs.yml
3. Now, with your fleetdm/fleet instance running, run 
fleetctl apply -f queries.yml
. This will import all the queries from your new 
queries.yml
file into your new Fleet instance. 4. With your fleetdm/fleet instance running, run 
fleetctl apply -f packs.yml
. This will import all the query packs along with the correct queries (that you just imported) into your new Fleet instance.
e

Esteban

02/05/2021, 5:18 PM
Thank you! That's more clearly
n

Noah Talerman

02/05/2021, 5:34 PM
Great! Let me know how this works out :)
e

Esteban

02/08/2021, 4:35 PM
It work, very straightforward
🍻 1
4 Views
#fleetJoin Slack
Powered by