https://github.com/osquery/osquery logo
Powered by
Title
c

clong

01/20/2023, 5:17 PM
Hey folks, we have 
logger_snapshot_event_type: true
in our config, but we're still seeing snapshot data come in as if it was set to false. Here's the options section of our config: 
---
apiVersion: v1
kind: config
spec:
  agent_options:
    config:
      decorators:
        load:
        - SELECT uuid AS host_uuid FROM system_info;
        - SELECT computer_name AS hostname FROM system_info;
      options:
        disable_distributed: false
        disable_events: false
        distributed_interval: 10
        distributed_plugin: tls
        distributed_tls_max_attempts: 3
        enable_keyboard_events: true
        enable_mouse_events: true
        logger_snapshot_event_type: true
        logger_tls_endpoint: /api/osquery/log
        logger_tls_period: 10
        pack_delimiter: /
Is it possible I'm making a mistake somewhere, or is fleet not respecting this command line flag?
here's a sample event - each item under snapshot should be a separate event when this is set to true 
{ 
   action: snapshot
   calendarTime: Fri Jan 20 17:08:26 2023 UTC
   counter: 0
   epoch: 0
   hostIdentifier: host1
   name: pack_MacPack_network_interfaces_snapshot
   numerics: false
   snapshot: [ 
     { [+]
     }
     { [+]
     }
     { [+]
     }
     { [+]
     }
     { [+]
     }
     { [+]
     }
     { [+]
     }
     { [+]
     }
   ]
   unixTime: 1674234506
}
Log scheduled snapshot results as events, similar to differential results. If this is set to true, then each row from a snapshot query will be logged individually.
OK, so some update here, it looks like the 
pack_delimiter
flag is also not being respected. I modified our config for the first time a few days ago -- how do I check the fleet server to see what flags it should be applying?
seems like there's some disconnect between what's in the config and what's getting applied
k

Kathy Satterlee

01/20/2023, 5:44 PM
Command line flags should only be set at runtime. osquery hasn't always been super strict about this, but has been locking it down more and more.
Are you using vanilla osquery or Fleet packages?
c

clong

01/20/2023, 5:46 PM
vanilla osquery (5.5.1)
k

Kathy Satterlee

01/20/2023, 5:48 PM
Then you'll want to set those flags in osquery.
c

clong

01/20/2023, 5:48 PM
as in, the flags file on disk?
sweet, i'll try that.
k

Kathy Satterlee

01/20/2023, 5:51 PM
If switching things up is an option, recent versions of Fleet do support managing osquery command line flags through Orbit https://fleetdm.com/docs/using-fleet/configuration-files#code-command-line-flags-code-option
c

clong

01/20/2023, 5:52 PM
i should definitely look into that. there's no reason im not using it other than "i know how to deploy vanilla osquery but havent played around with orbit yet"
looks to be fixed now, thanks for the help again! cant say how helpful it is to be able to troubleshoot with someone in near real time :ty:
k

Kathy Satterlee

01/20/2023, 7:07 PM
I may be a little biased, but I think it's a really tidy way to keep things up to date and communicating well.
c

charles

01/20/2023, 9:56 PM
i'm not biased -- you should use orbit 😄
2 Views
#fleetJoin Slack
Powered by