https://github.com/osquery/osquery logo
Join Slack
Powered by
Hi Fleet team, do we have doc present how to use c...
# fleet
w
Hi Fleet team, do we have doc present how to use carve?
k
w
and all the files loaded by carve query return by distributed_write to fleet side? and where does fleet store them?
k
Carves are sent to fleet via the carving endpoints:
Copy code
--carver_start_endpoint=/api/v1/osquery/carve/begin
This endpoint tells the server the carve is incoming
Copy code
--carver_continue_endpoint=/api/v1/osquery/carve/block
This is where the actual carve is sent. By default, carves are stored in the Fleet database and removed after 24 hours.
w
Copy code
/api/v1/osquery/carve/begin
this one is used to send file? what about this one?
Copy code
--carver_continue_endpoint=/api/v1/osquery/carve/block
k
The first tells the server a carve will be sent. The second sends the actual carve blocks.
w
and the content of file is storing in carve_blocks, the file meta info is storing in carve_metadata right?
and after 24 hrs, it will be removed?
how does fleet implement it? by starting a goroutine?
k
You can set up a different carving backend golf you’d like to keep them around longer: https://fleetdm.com/docs/using-fleet/fleetctl-cli#alternative-carving-backends
w
so the order is 1 begins the carver by calling
Copy code
/api/v1/osquery/carve/begin
2 the agent will run the distributed query and fetch the file 3 the agent will sent it back to fleet by
Copy code
/api/v1/osquery/carve/block
is that the right order?
k
1. The carve is initiated by querying the 
carves
table 2. The host receives the query and osquery starts processing 3. When osquery is ready to send the carve, it sends a request to the 
/begin
endpoint to start the process 4. The actual carve blocks are then sent by osquery to the 
/block
endpoint
w
1. The carve is initiated by querying the 
carves
table this is happened on agent side right? but who told agent to activate carves feature?
k
When you want to initiate a carve, you do so by querying the 
carves
table, either through 
fleetctl
, or running a live query in the UI or REST API.
That’s step one above. Let me tweak that a little.
1. The carve is initiated in Fleet by querying the 
carves
table (through the UI, API or 
fleetctl
The query looks like this:
Copy code
SELECT * FROM carves WHERE path = <filepath> and carve = 1;
The 
and carve = 1
is what tells osquery that this is a new carve.
I know there are a lot of moving pieces there! Just let me know if you want me to put it all together from the beginning again.
w
no worries, i got it. every clear, ty.
k
Great!
I’m really excited about how deeply you’re digging in to this stuff. Are you thinking about contributing?
w
maybe on more question, if i run a live query for carve, because the agent returns the result of live query with distributed_write, but carve has different endpoints to do it, so it means osquery could discriminate the carve from other live query and use different endpoint to transfer it back?
k
Exactly.
Open in Slack
PreviousNext
Powered by