https://github.com/osquery/osquery logo
Powered by
#kolide
Title
z

zwass

06/27/2018, 9:00 PM
Yep, you can use 
fleetctl convert
to convert osquery pack JSON into the fleetctl yaml format. Then you can apply the yaml.
m

Mark C.

06/28/2018, 1:51 PM
fleetctl convert --config /usr/share/fleet/test-config.yml -f ~/query-packs/windows-attacks.conf --context windows_attacks --debug
If I run that the output in the terminal is the pack in the expected yml format. 
test-config.yml
is unchanged and 
~/query-packs/windows-attacks.conf
is unchanged also. is this specifically for the fleet-cli? I see there is an example for a single file config and the multi file config but both fleet configurations look completely different than mine.
b

brandon

06/28/2018, 6:09 PM
@Mark C. The 
--config
flag is for the 
fleetctl
config, not for Fleet, so this config file will not look like the example configs. When you run 
fleetctl convert
no files are changed. Instead, if you want to apply the windows-attacks pack to a Fleet instance, I would use 
fleetctl convert -f ~/query-packs/windows-attacks.conf > windows-attacks.yml
and then 
fleetctl apply --config /usr/share/fleet/test-config.yml --context windows_attacks -f windows-attacks.yml
.
z

zwass

06/28/2018, 6:13 PM
Yes, thank you @brandon. Spot on. The output of 
fleetctl convert
goes to stdout, so you can pipe it to wherever you like with your shell and then apply it.
m

Mark C.

06/28/2018, 6:33 PM
Now that makes total sense, what if the config is for a running daemon, a restart should do the trick right?
z

zwass

06/28/2018, 6:34 PM
Nope, the daemon should reload the config (as long as 
config_refresh
is set to something greater than 0) 🙂
m

Mark C.

06/28/2018, 7:05 PM
fleetctl convert
works as expected 
apply
is not. Fleetctl is prompting to set the address in the config. I think I might have made an assumption that the GUI and CLI configs were similar, but not?
z

zwass

06/28/2018, 7:19 PM
fleetctl login
first
m

Mark C.

06/28/2018, 7:37 PM
WOW, thank you so much. Seriously, this is awesome. I sincerely hope that the stack we are building based on OSQ Fleet and ES will blow any pay to play solution out of the water. We're like counting the hours here to throw some big money at another solution and this has really changed the game and not to mention made my job so much easier. Hopefully as I become more versed in Fleet I can contribute something back. 😄
z

zwass

06/28/2018, 10:20 PM
We're glad you're enjoying! We also have a cloud offering that goes way beyond what Fleet does (kolide.com), but sounds like you're pretty happy 🙂
2 Views
Powered by