https://github.com/osquery/osquery logo
Powered by
Title
k

keko

10/01/2019, 1:41 AM
If I only set certain keys in my Fleet osquery conf file (e.g.; sysmon.conf), does that remove the current configs for the other keys? I'd like to add 
windows_event_channels: 'System,Application,Setup,Security,Microsoft-Windows-Sysmon/Operational'
z

zwass

10/02/2019, 1:00 AM
No, it should only overwrite values that are set.
🙏 1
k

keko

10/07/2019, 9:10 PM
Should this be working? 🤔 I'm not getting any new 
source
in Fleet when I query my host, so I figured I might have done the config wrong. 
apiVersion: 1
kind: options
spec:
  config:
    options:
      windows_event_channels: 'System,Application,Setup,Security,Microsoft-Windows-Sysmon/Operational'
I may have missed some other config. 
System,Application,Setup,Security
are under 'Windows Logs', while 
Microsoft-Windows-Sysmon/Operational
is under 'Applications and Service Logs'
#kolideJoin Slack
Powered by