Hi team - I believe I am confused regarding the co...
# fleet
Hi team - I believe I am confused regarding the command_line_flags portion of the Agent Options configuration in Fleet. What can be added to that portion that's different from the standard config options? I've tried adding things like
config_refresh: 0
but I get an error indicating that this is an "unsupported key".
Hi @Mike S.! can you share the configuration you're applying? Feel free to redact sensitive information
I'm guessing that there's something a little out of place.
config: options: aws_region: <REDACTED> pack_delimiter: / aws_access_key_id: <REDACTED> logger_tls_period: 10 distributed_plugin: tls aws_firehose_stream: <REDACTED> disable_distributed: false logger_tls_endpoint: /api/osquery/log distributed_interval: 10 aws_secret_access_key: <REDACTED> schedule_splay_percent: 10 distributed_tls_max_attempts: 3 decorators: load: - SELECT uuid AS host_uuid FROM system_info; - SELECT hostname AS hostname FROM system_info; command_line_flags: {} # requires Fleet's osquery installer config_refresh: 0
Error message: Could not update settings. unsupported key provided: "config_refresh" If you’re not using the latest osquery, use the fleetctl apply --force command to override validation.
osquery version is 5.7.0
The brackets are closing out
, so
isn't inside of that key:
Copy code
  config_refresh: 0
Should do the trick
Derp, ok! I'll give that a go, thank you!
Like the one thing I didn't try 🙂
I feel that.
I have a tendency to hear hoofbeats and think zebras are coming instead of horses.
I know that you've mentioned using plain osquery on some hosts that already had it installed. Just be aware that flags set in agent options won't apply to those hosts.
Yeah I think we'll try to avoid that use case and stick to the installer as much as possible for simplicity.
Thanks again!
Happy to help.
Oh and not sure that we addressed this portion: The difference is that you can control osquery startup flags (the first section when you do
osqueryd --help
, such as watchdog configuration) remotely with this feature. Previously this was only possible by changing the flags on the endpoint.