Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
d
defensivedepth
07/16/2018, 7:26 PMhold on, double-checked the docs. Appears I have to manually specify ‘removed: false’ in the pack config? I have not, but the UI shows that the pack/queries are set to diff-ignore.
z
zwass
07/16/2018, 11:47 PMDid you configure these packs via the UI or
fleetctld
defensivedepth
07/16/2018, 11:49 PMfleetctl. This does appear to be a bug of some kind, still confirming.
When creating a query pack config file, if ‘removed:false’ is not specified, the mode defaults to including removals. However, the UI displays the ‘Differential (Ignore Removals)’ option.
When ‘removed:true’ is used, the UI displays the correct selection - ‘Differential’
I am unsure what is expected default mode if the ‘removed:true/false’ line is not included.
z
zwass
07/16/2018, 11:54 PMThe expected behavior should be like the osquery behavior (as specified in https://osquery.readthedocs.io/en/stable/deployment/configuration/#schedule). This would mean by default removals are included. Sounds like perhaps we are using the correct default, but rendering the wrong value in the UI. I'll look into this.
d
defensivedepth
07/17/2018, 12:02 AMThanks, that is what I am thinking as well
Once I confirm, I will open up an issue
z
zwass
07/17/2018, 12:11 AMI found the issue in the frontend JS
👍 1