Channels
#fleet
Title
# fleet
d
dinh.bui
03/02/2023, 10:31 AMHi everyone,
I have a problem when I config "command_line_flags" in Agent options in Fleet UI, the config of agents not be updated throught the configuration of "command_line_flags". I checked it by query "osquery_flags" table and received results that flag in table are not updated.
What did I do wrong?
Thanks.
k
Kathy Satterlee
03/02/2023, 3:13 PMHi @dinh.bui! Are you using plain osquery on your hosts, or Fleet’s installer packages?
d
dinh.bui
03/02/2023, 4:17 PMHi @Kathy Satterlee!I 'm using orbit that was build from fleetctl.
https://fleetdm.com/docs/using-fleet/orbit
k
Kathy Satterlee
03/02/2023, 5:37 PMPerfect. Can you show me what your configuration looks like? The most likely culprit is that the
{} Copy code
command_line_flags: {}
enable_file_events: true Copy code
command_line_flags:
enable_file_events: trued
dinh.bui
03/03/2023, 7:18 AMOf course. This is my full configuration in Agent options:
Copy code
config:
options:
pack_delimiter: /
logger_tls_period: 10
distributed_plugin: tls
disable_distributed: false
logger_tls_endpoint: /api/osquery/log
distributed_interval: 10
distributed_tls_max_attempts: 3
decorators:
load:
- SELECT version FROM osquery_info
- SELECT uuid AS host_uuid FROM system_info
always:
- >-
SELECT user AS username FROM logged_in_users WHERE user <> '' ORDER BY
time LIMIT 1
command_line_flags:
events_max: 500000
audit_persist: true
disable_audit: false
events_expiry: 1
disable_events: false
audit_allow_config: true
enable_file_events: true
logger_rotate_size: 26214400
audit_allow_sockets: true
watchdog_memory_limit: 150
logger_rotate_max_files: 5
audit_allow_process_events: true
watchdog_utilization_limit: 130I read section "Manage osquery flags remotely with Orbit" in this link:
https://fleetdm.com/releases/fleet-4.21.0
"Orbit regularly checks flags from Fleet according to the
distributed_interval2 Views