Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Yep, you can use `fleetctl convert` to convert osquery pack JSON into the fleetctl yaml format. Then you can apply the yaml.

`fleetctl convert --config /usr/share/fleet/test-config.yml -f ~/query-packs/windows-attacks.conf --context windows_attacks --debug`

If I run that the output in the terminal is the pack in the expected yml format. `test-config.yml` is unchanged and `~/query-packs/windows-attacks.conf` is unchanged also. is this specifically for the fleet-cli? I see there is an example for a single file config and the multi file config but both fleet configurations look completely different than mine.

<@UBBL4E020> The `--config` flag is for the `fleetctl` config, not for Fleet, so this config file will not look like the example configs. When you run `fleetctl convert` no files are changed. Instead, if you want to apply the windows-attacks pack to a Fleet instance, I would use `fleetctl convert -f ~/query-packs/windows-attacks.conf &gt; windows-attacks.yml` and then `fleetctl apply --config /usr/share/fleet/test-config.yml --context windows_attacks -f windows-attacks.yml`.

Yes, thank you <@UB2083719>. Spot on. The output of `fleetctl convert` goes to stdout, so you can pipe it to wherever you like with your shell and then apply it.

Now that makes total sense, what if the config is for a running daemon, a restart should do the trick right?

Nope, the daemon should reload the config (as long as `config_refresh` is set to something greater than 0) :slightly_smiling_face:

`fleetctl convert` works as expected `apply` is not. Fleetctl is prompting to set the address in the config. I think I might have made an assumption that the GUI and CLI configs were similar, but not?

WOW, thank you so much. Seriously, this is awesome. I sincerely hope that the stack we are building based on OSQ Fleet and ES will blow any pay to play solution out of the water. We're like counting the hours here to throw some big money at another solution and this has really changed the game and not to mention made my job so much easier. Hopefully as I become more versed in Fleet I can contribute something back. :smile:

We're glad you're enjoying! We also have a cloud offering that goes way beyond what Fleet does (<http://kolide.com|kolide.com>), but sounds like you're pretty happy :slightly_smiling_face: