< zwass> I was hoping to avoid dependencies in the Powershel osquery #windows

<@U0JFM04MS> - I was hoping to avoid dependencies ...

Jdotmac

02/19/2020, 6:11 PM

@zwass - I was hoping to avoid dependencies in the Powershell module code and access kolide directly. I haven’t tried wrapping PS around fleetctl on windows though. Will the kolide API allow for running live queries?

zwass

02/19/2020, 6:18 PM

Sure, you can run live queries with the Fleet API. That's what the Fleet frontend and

fleetctl

do. You can search for old threads in #kolide where I tried to point folks towards those implementations.

Jdotmac

02/19/2020, 7:32 PM

Thanks! I was able to get something working pretty quickly. I’ll check out #kolide for Live Query examples (as I only tired GETs)

zwass

02/19/2020, 7:42 PM

For the live query you need to open a websocket and reauth for the result stream. It's not quite as simple but it's nothing crazy.

zwass

02/19/2020, 7:42 PM

Please post your code when you finish if you are able to.

Jdotmac

02/19/2020, 11:17 PM

Cool thanks for pointing me in the right direction. Haven’t had a chance to try yet but I see from the JS client example how to go about it. I can post a sample in this channel tomorrow

Jdotmac

02/21/2020, 9:40 PM

I’m still struggling with this a bit. When setting up the websocket in C# I’m required to provide a wss:// scheme url but can’t seem to find what url I should use. I’m seen other implementations that create a tcp connection and send over a special header asking for a connection upgrade but wasn’t working for me. Any ideas?

zwass

02/22/2020, 12:38 AM

Check this out: https://github.com/kolide/fleet/blob/master/server/service/client_live_query.go#L97-L100

Jdotmac

02/22/2020, 12:58 AM

Ah perfect. Thanks again!

3 Views

Open in Slack

Previous Next