Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
g
groob
01/23/2019, 4:41 PMto see the schedule you need to query it from a scheduled query
j
jackjack
01/23/2019, 5:36 PMsorry I might have missed your point here. Do you mean I need to write another search in the conf file to query what has been scheduled to run?
g
groob
01/23/2019, 5:37 PMyes
you can only get the osqueryd schedule by querying it in the config and reading the logs
j
jackjack
01/23/2019, 5:38 PMoh okay
g
groob
01/23/2019, 5:38 PMthe schedule lives in the db, and osqueryi never interacts with the db
j
jackjack
01/23/2019, 5:38 PMany idea on why it's not writing to the result file?
g
groob
01/23/2019, 5:39 PMtry a simpler config file with a frequent query to debug
there could be a million reasons why but if you’re importing a big config it’s hard to tell
j
jackjack
01/23/2019, 5:40 PMok. Thank you. As always.:D
g
groob
01/23/2019, 5:40 PMit could be something like you connecting to a TLS server which overrides the config order and points to a different logger
j
jackjack
01/23/2019, 5:40 PMoh,....Fleet doesn't do that...does it?
g
groob
01/23/2019, 5:40 PMit does
j
jackjack
01/23/2019, 5:40 PMoh ;(
g
groob
01/23/2019, 5:41 PMif you specified config_plugin=tls then your config file is useless
i you specified config_plugin=filesystem then your pack configs in fleet are useless
pick one
j
jackjack
01/23/2019, 5:42 PMlol! It turns out we have both! great catch!
I don't need
config_plugin=tlsg
groob
01/23/2019, 5:42 PMright, you can choose config_plugin=filesystem.
j
jackjack
01/23/2019, 5:43 PM👍 thank you
g
groob
01/23/2019, 5:43 PMbut note that it means you can’t use the fleet packs screens anymore
you can still use fleet for live queries, provided you specified
distributed_plugin=tlsin your conf file
labels will also continue to work that way
also note that fleet has it’s own config file format you can use to manage packs if you want to do it outside the UI
it’s an option, but there’s very little advantages that I know of to using config_plugin=filesystem if you’re committing to using fleet
j
jackjack
01/23/2019, 6:00 PMTrue. Given that our tunnel is up and reliable 😄 meanwhile, I am just using filesystem to fill the gap, once our cloud routing is hardened