hold on, double-checked the docs. Appears I have t...
# kolided
defensivedepth
07/16/2018, 7:26 PMhold on, double-checked the docs. Appears I have to manually specify ‘removed: false’ in the pack config? I have not, but the UI shows that the pack/queries are set to diff-ignore.
z
zwass
07/16/2018, 11:47 PM
Did you configure these packs via the UI or
fleetctld
defensivedepth
07/16/2018, 11:49 PMfleetctl. This does appear to be a bug of some kind, still confirming.
When creating a query pack config file, if ‘removed:false’ is not specified, the mode defaults to including removals. However, the UI displays the ‘Differential (Ignore Removals)’ option.
When ‘removed:true’ is used, the UI displays the correct selection - ‘Differential’
I am unsure what is expected default mode if the ‘removed:true/false’ line is not included.
z
zwass
07/16/2018, 11:54 PM
The expected behavior should be like the osquery behavior (as specified in https://osquery.readthedocs.io/en/stable/deployment/configuration/#schedule). This would mean by default removals are included. Sounds like perhaps we are using the correct default, but rendering the wrong value in the UI. I'll look into this.
d
defensivedepth
07/17/2018, 12:02 AMThanks, that is what I am thinking as well
defensivedepth
07/17/2018, 12:07 AMOnce I confirm, I will open up an issue
z
zwass
07/17/2018, 12:11 AM
I found the issue in the frontend JS
👍 1
3 Views