https://github.com/osquery/osquery logo
Join Slack
Powered by
Hey folks, we have `logger_snapshot_event_type: tr...
# fleet
c
Hey folks, we have 
logger_snapshot_event_type: true
in our config, but we're still seeing snapshot data come in as if it was set to false. Here's the options section of our config:
Copy code
---
apiVersion: v1
kind: config
spec:
  agent_options:
    config:
      decorators:
        load:
        - SELECT uuid AS host_uuid FROM system_info;
        - SELECT computer_name AS hostname FROM system_info;
      options:
        disable_distributed: false
        disable_events: false
        distributed_interval: 10
        distributed_plugin: tls
        distributed_tls_max_attempts: 3
        enable_keyboard_events: true
        enable_mouse_events: true
        logger_snapshot_event_type: true
        logger_tls_endpoint: /api/osquery/log
        logger_tls_period: 10
        pack_delimiter: /
Is it possible I'm making a mistake somewhere, or is fleet not respecting this command line flag?
here's a sample event - each item under snapshot should be a separate event when this is set to true
Copy code
{ 
   action: snapshot
   calendarTime: Fri Jan 20 17:08:26 2023 UTC
   counter: 0
   epoch: 0
   hostIdentifier: host1
   name: pack_MacPack_network_interfaces_snapshot
   numerics: false
   snapshot: [ 
     { [+]
     }
     { [+]
     }
     { [+]
     }
     { [+]
     }
     { [+]
     }
     { [+]
     }
     { [+]
     }
     { [+]
     }
   ]
   unixTime: 1674234506
}
Log scheduled snapshot results as events, similar to differential results. If this is set to true, then each row from a snapshot query will be logged individually.
OK, so some update here, it looks like the 
pack_delimiter
flag is also not being respected. I modified our config for the first time a few days ago -- how do I check the fleet server to see what flags it should be applying?
seems like there's some disconnect between what's in the config and what's getting applied
k
Command line flags should only be set at runtime. osquery hasn't always been super strict about this, but has been locking it down more and more.
Are you using vanilla osquery or Fleet packages?
c
vanilla osquery (5.5.1)
k
Then you'll want to set those flags in osquery.
c
as in, the flags file on disk?
sweet, i'll try that.
k
If switching things up is an option, recent versions of Fleet do support managing osquery command line flags through Orbit https://fleetdm.com/docs/using-fleet/configuration-files#code-command-line-flags-code-option
c
i should definitely look into that. there's no reason im not using it other than "i know how to deploy vanilla osquery but havent played around with orbit yet"
looks to be fixed now, thanks for the help again! cant say how helpful it is to be able to troubleshoot with someone in near real time ty
k
I may be a little biased, but I think it's a really tidy way to keep things up to date and communicating well.
c
i'm not biased -- you should use orbit 😄
2 Views
Open in Slack
PreviousNext
Powered by