• j

    jake

    11 months ago
    Apologize if this has been asked, I just need a sanity check, because I feel like this should work but it doesnt. When utilizing FleetDM, It processes the Flagfile, then anything that is in Agent Config and Overrides will overwrite anything in the Flagfile. Would it be possible to add Windows events to to Override for Windows Platform, or do you still need to have a flagfile on the device? The intent is to be able to install Orbit and have it use the Overrides.
    overrides:
      platforms:
        windows:
          options:
            logger_plugin: tls
            pack_delimiter: /
            logger_tls_period: 10
            distributed_plugin: tls
            disable_distributed: false
            logger_tls_endpoint: /api/v1/osquery/log
            distributed_interval: 10
            distributed_tls_max_attempts: 3
            enable_ntfs_event_publisher: true
            enable_windows_events_subscriber: true
            enable_powershell_events_subscriber: true
            events_optimize: true
            events_max: 100000
            events_expiry: 900
            disable_events: false
            disable_logging: false
            schedule_splay_percent: 10
            schedule_max_drive: 15
            windows_event_channels: >-
              System,Application,Setup,Security,Microsoft-Windows-Windows Firewall
              With Advanced Security/Firewall,Microsoft-Windows-Windows Firewall
              With Advanced Security/ConnectionSecurity
            utc: true
            pack_refresh_interval: 1800
            disable_watchdog: false
            watchdog_level: 0
            watchdog_memory_limit: 512
            watchdog_delay: 120
            enable_extensions_watchdog: true
          decorators:
            load:
              - SELECT version FROM osquery_info
              - SELECT uuid AS host_uuid FROM system_info
            always:
              - >-
                SELECT user AS username FROM logged_in_users WHERE user <> '' ORDER
                BY time LIMIT 1
            interval:
              '3600': SELECT total_seconds AS uptime FROM uptime
  • Martavis Parker

    Martavis Parker

    11 months ago
    Hi jake. Just to make sure I understand your issue, are you trying to add a Windows machine as a host without using a flagfile?
  • j

    jake

    11 months ago
    Yes. But I actually got the above to work. When I rewrote it, and applied it thru fleetctl apply -f then the file, instead of doing it in the web interface. So I just install orbit and it automatically pulls flags from the server. So if you add the overrides in the web interface, and queried a windows device flags it wouldn't appear. But applying by the yaml file, it works. To include extensions.
  • Martavis Parker

    Martavis Parker

    11 months ago
    Great! I'm glad to see it works!