Comments (6)
noahtalerman
commented on May 28, 2024
Hi @anelshaer. Great suggestion. Why does it make more sense for you to have these two kinds of labels? Why would you rather have the query in your example run on the Fleet DB instead of all hosts?
from fleet.
anelshaer
commented on May 28, 2024
Hi Noah,
Labels that is based on packages, config file, or something that needs system check would make sense to run on each system.
Labels that runs os system info, osquery info, or data gather by fleet like the hostname for example, seeing these queries and running them on each osquery agent, it have some processing like other queries, it also generate logs in osqeueryd.INFO like examples below.
i suggest to have the option to run them on DB, and both of them would also have a frequency set like i noticed the labels run each hour i guess.
Executing distributed query: kolide_label_query_36: select 1 from file where path="/etc/rsyslog.d/osquery.conf";
Executing distributed query: kolide_label_query_37: SELECT 1 FROM system_info where hostname like "%.dev.%";
Executing distributed query: kolide_label_query_38: SELECT 1 FROM system_info WHERE hostname NOT LIKE "%.dev.%";
Executing distributed query: kolide_label_query_39: SELECT 1 FROM system_info where hostname like 'php%';
Executing distributed query: kolide_label_query_40: SELECT 1 FROM osquery_info where version != '4.3.0';
Executing distributed query: kolide_label_query_47: SELECT 1 FROM system_info where hostname like 'php-qt2.dev.%' or hostname like 'php-m67.dev.%' ;
from fleet.
noahtalerman
commented on May 28, 2024
Are the goals you mentioned in this comment (separate issue) related to your goals with creating two kinds of labels? More specifically, is the idea that having these two kinds of labels will help you minimize the number of queries and log output?
from fleet.
anelshaer
commented on May 28, 2024
Yes exactly Noah, this is one of the benefits it will minimize the number of queries and logs on each host.
provide a mean to group hosts which you can target with queries on the fly and no need to query every host initially to get the targets.
another thing to highlight, if you are investigating some machines usually you want to keep it under the radar so creating a query that describes the machines/targets could tip off and expose your search/investigation.
from fleet.
zwass
commented on May 28, 2024
Just heard another request for this while speaking with a customer today.
from fleet.
anelshaer
commented on May 28, 2024
Hhhh, this was a year ago, glad its useful. I can certainly speak to that
and tell you itβs very useful and going to save a ton of queries being run
on machines and noisy logging etc.
β¦On Mon 20. Dec 2021 at 11:56 PM, Zach Wasserman ***@***.***> wrote:
Just heard another request for this while speaking with a customer today.
β
Reply to this email directly, view it on GitHub
<#105 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AA7F5JKUF6AM5UU3DL3BSCLUR6YC3ANCNFSM4UR46XTA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
from fleet.
Related Issues (20)
- Upgrading fleet-osquery overwrites custom /etc/default/orbit HOT 4
- Fleet UI: The whole row hovering makes it seem like the whole row is clickable when it is only the policy name cell
- Request: Add redirect for users with an existing Fleet Premium subscription HOT 1
- Fleet UI: Missing frontend validation for full name when creating a new user HOT 1
- Meeting with CEO, CTO, HPD, HBO + JD on OKR alignment HOT 2
- Fleet UI run script disabled when host has scripts enabled and on orbit < 1.24.0 HOT 9
- Trying to upload valid, signed profile to Fleet results in errors
- Create signing tool for customer-preston HOT 4
- Create signing API endpoint for customer-preston
- Get a team's ID via `fleetctl get teams` HOT 3
- Scripts preview in UI
- Checkboxes for team script selection
- Website: Show calendar banner for users with a primaryBuyingSituation HOT 1
- Host activity item for resend configuration profile
- Check production dependencies of fleetdm.com HOT 1
- Research: Adding iOS/iPadOS features to Fleet HOT 2
- Users not gathered on Ubuntu devices
- Use "Fleet" in SCEP certificate
- Add links to single CVEs in software pages
- Website: inconsistent spacing on homepage
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fleet.