• a

    Artem

    1 year ago
    Hi! How can i apply options to different labels of hosts? Is there a format with all possible fields for fleet options.yaml? I tried to add to my options.yaml. But this applies to all hosts, not specific label
    config:
        targets:
          labels:
            - my labels
  • Noah Talerman

    Noah Talerman

    1 year ago
    Currently, Fleet doesn’t support targeting labels with different options. Fleet does support targeting specific platforms (macOS, Windows, Ubuntu, etc) with different options. Documentation for the options configuration can be found here: https://github.com/fleetdm/fleet/blob/master/docs/1-Using-Fleet/2-fleetctl-CLI.md#osquery-configuration-options
  • a

    Artem

    1 year ago
    @Noah Talerman Could I set the maximum options in the options.yaml file (include FIM, process_events, etc…), but then on some hosts marked with labels, do not execute, for example, the request
    select * from process_file_events
    select * from file_events
    so the performance on the host cannot be reduced?
  • n

    nyanshak

    1 year ago
    osquery will still buffer events if they're enabled. This is a pretty unfortunate limitation of fleet right now (not able to target options to groups of hosts) but should be available... eventually (with Teams). So there's still some overhead if you enable the options but don't enable the queries (e.g., by using labels to target queries you could avoid running those queries on some hosts).
  • I don't know if this works for you, but you could possibly set all options except those options in fleet, then add those specific options to flag files on hosts where you want to enable process / file events.
  • generally if an option is set in fleet, it overrides flag files. But if it's not set in fleet, whatever you have in flag files gets used (or the osquery default if unset)