Channels
# apple-silicon
# arm-architecture
# auditing-warroom
# aws
# code-review
# community-feeds
# core
# darkbytes
# doorman
# ebpf
# eclecticiq-polylogyx-extension
# extensions
# file-carving
# fim
# fleet
# foundation
# fuzzing
# general
# golang
# goquery
# infrastructure
# kolide
# linux
# macos
# officehours
# osctrl
# plugins
# process-auditing
# querycon
# queryhub
# sql
# tls
# uptycs
# website
# windows
# zeek
# zercurity
- n
nyanshak
1 year agosmall feedback about file carving (I still need a bit more time to play around with it to go into deeper feedback): If I run
, I don't see any help text for: • --stdout / --outfile (so I don't know those options exist) • and I know the docs exist and mention tar out, but it took me a minute to figure out that carves would be in a tar archivefleetctl get carves --help 
zwass
1 year agoGood points. You actually get the help text you expected with
. The other thing I'm not sure we mention is that compression can be enabled on the osquery side and it will be zstandard compression on top of the tar archive.fleetctl get carve --help- n
nyanshak
1 year agooh wait 🤦 - I think I was looking at the wrong help output
- but yes, compression help text would be good (for outfile)
zwass
1 year agoYou just don't get the text withfleetctl get carves- n
nyanshak
1 year agoOooh interesting, that's pretty confusing as an end user of fleetctl zwass
1 year agoMy idea was the plural gets metadata for the carves while the singular gets the actual carve contents. They each have different flags. Happy to work with you to find something that is more intuitive.- n
nyanshak
1 year agoAh, okay. I've only done a pretty cursory exploration of carving. I'll have a think about it after I play around with it some more. zwass
1 year agoGreat, please let me know!
Join thread in Slack
View count: 1