Hi team - I believe I am confused regarding the command_line_flags portion of the Agent Options configuration in Fleet. What can be added to that portion that's different from the standard config options? I've tried adding things like

config_refresh: 0

but I get an error indicating that this is an "unsupported key".

Hi @Mike S.! can you share the configuration you're applying? Feel free to redact sensitive information

config: options: aws_region: <REDACTED> pack_delimiter: / aws_access_key_id: <REDACTED> logger_tls_period: 10 distributed_plugin: tls aws_firehose_stream: <REDACTED> disable_distributed: false logger_tls_endpoint: /api/osquery/log distributed_interval: 10 aws_secret_access_key: <REDACTED> schedule_splay_percent: 10 distributed_tls_max_attempts: 3 decorators: load: - SELECT uuid AS host_uuid FROM system_info; - SELECT hostname AS hostname FROM system_info; command_line_flags: {} # requires Fleet's osquery installer config_refresh: 0

The brackets are closing out

command_line_flags

, so

config_refresh

isn't inside of that key:

command_line_flags:
  config_refresh: 0

Should do the trick

Derp, ok! I'll give that a go, thank you!

I feel that.

I have a tendency to hear hoofbeats and think zebras are coming instead of horses.

I know that you've mentioned using plain osquery on some hosts that already had it installed. Just be aware that flags set in agent options won't apply to those hosts.

Yeah I think we'll try to avoid that use case and stick to the installer as much as possible for simplicity.

Happy to help.

Oh and not sure that we addressed this portion: The difference is that you can control osquery startup flags (the first section when you do

osqueryd --help

, such as watchdog configuration) remotely with this feature. Previously this was only possible by changing the flags on the endpoint.