Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
v
Vlad Previn
02/17/2023, 8:30 AM👋 is there a way to backup or manage query schedules via fleetctl ?
i can see we can get packs and or queries or packs including queries .
but i don’t seem to be able to find the schedule section
fleet 4.27 btw
😕 im not sure i necessarily understand packs vs queries either.
I don’t recall creating a pack but one of the scheduled queries shows up in packs
./fleetctl get packs --yaml
---
apiVersion: v1
kind: pack
spec:
description: test
disabled: false
id: 2
name: test_pack
queries:
- description: ""
interval: 7200
name: heartbeat
platform: all
query: heartbeat
removed: false
snapshot: true
version: ""
targets:
labels: null
teams: nulland the pack interval for the query is 2h which is neither of the scheduled queries
as opposed to
<https://fleetdm.com/docs/using-fleet/rest-api#example70>GET /api/v1/fleet/global/schedule{
"global_schedule": [
{
"created_at": "0001-01-01T00:00:00Z",
"updated_at": "0001-01-01T00:00:00Z",
"id": 1,
"pack_id": 1,
"name": "heartbeat",
"query_id": 1,
"query_name": "heartbeat",
"query": "SELECT * FROM osquery_info LIMIT 1;",
"interval": 3600,
"snapshot": true,
"removed": false,
"platform": "",
"version": "",
"shard": null,
"denylist": null,
"stats": {
"system_time_p50": 2.375,
"system_time_p95": 32,
"user_time_p50": 1.0789,
"user_time_p95": 5.875,
"total_executions": 1267
}
},
{
"created_at": "0001-01-01T00:00:00Z",
"updated_at": "0001-01-01T00:00:00Z",
"id": 3,
"pack_id": 1,
"name": "testingaudit",
"query_id": 28,
"query_name": "testingaudit",
"query": "SELECT * FROM osquery_info LIMIT 1;",
"interval": 86400,
"snapshot": true,
"removed": false,
"platform": "all",
"version": "",
"shard": null,
"denylist": null,
"stats": {
"system_time_p50": 0,
"system_time_p95": 19.5,
"user_time_p50": 0,
"user_time_p95": 5.3333,
"total_executions": 52
}
}
]
}🤔 😕
so let me get this this straight….from reading up a bit and playing with fleetctl/ui
1. i can do packs via yaml files .
a. packs can include 1 plus queries each with own schedule interval, and the pack def is basically a set of query refs + intervals
b. for target labels - only 1 label per pack? (i.e the whole pack is targeted not individual query)
c. if i do snapshot on for packs it will go to what i have defined in server config (in our case pubsub)?
d. you can manage packs via fleetctl including backing up queries associated with it?
2. scheduled queries in the ui can target all hosts only … adhoc queries can target labels ?
a. schedule is api only - not fleetctl
3. teams/groups in fleet premium can target
tldr to manage query scheduling and testing as a free user fleectl + packs (with optionally multiple queries) + labels is the best and only option? with 1 target (but can do multiple labels in that target) per pack. or to rephrase a bit, to target a specific label - have to use packs?
are packs eol for fleetctl/api?
k
Kathy Satterlee
02/17/2023, 4:02 PMH @Vlad Previn There are lots of changes in the works for scheduling. If you aren't currently using Packs, I'd recommend sticking with scheduled queries.
It does look like you may have played a bit with packs in the past, especially since the name is
test_pack1. You can currently manage Packs using the REST API or
fleetctlsnapshotremovedfalsetrue:fleetctlfleetctl get packs --yaml --with-queriesv
Vlad Previn
02/20/2023, 2:47 AM🤔 ty
can you please provide a yaml example of a query with a schedule to apply via fleetctl, targeted to a specific target label