What's the easiest way to setup Linux auditing (similar to

osqueryi --nodisable_audit --nodisable_events --audit_allow_config=true --audit_persist=true --audit_allow_sockets

etc etc) without having osqueryctl installed? We have the fleetctl agent with the osquery package (without Fleet Desktop) installed on Linux servers, Amazon Linux 2.

Now that you have the Fleet agent package deployed, you can manage those flags with https://fleetdm.com/docs/using-fleet/configuration-files#code-command-line-flags-code-option.

@zwass thank you... is that server (fleet) or client (fleetctl/osquery) side?

That's configured on the server and then agents check in and retrieve it. You can configure it in the UI (settings page) or via

fleetctl apply

.

$ fleetctl apply -f test.yml --dry-run Warning: Version mismatch. Client Version: 4.24.1 Server Version: 4.20.0 Error: unknown kind "" Any suggestions for this error? I can share the yml

fleetctl get config

first to get your current config, then edit that with the options you want to add.

I was using a config derived from what was in the agent options panel in the UI but I will do ask you say and see how it goes

That's app configuration -- all the stuff you see in the settings UI

I figured out that everything in the agent config page is what would be in the yaml under the agent_config section of yaml

Yes that's right

might have been a recent update... just updated the server and it let me save whatever before but this time it validated it

Yes we added validation recently

are there default paths for these configs or do they just go into mysql?

Fleet will store them in MySQL

first time setting all of this up and it's been ... an experience

It's a lot -- we're always trying to make it easier but there's still a long way to go.

I'd be happy to provide constructive feedback, also working with a software startup

cc @Noah Talerman @Mo Zhu (our product team)