2020-12-24 22:12:44 +00:00
# Fleet UI
2022-09-09 14:14:40 +00:00
- [Creating a query ](#create-a-query )
- [Running a query ](#run-a-query )
- [Scheduling a query ](#schedule-a-query )
- [Update agent options ](#update-agent-options )
2020-12-24 22:12:44 +00:00
2022-08-31 18:08:53 +00:00
< div purpose = "embedded-content" >
< iframe src = "https://www.youtube.com/embed/1VNvg3_drow" allowfullscreen > < / iframe >
< / div >
2022-09-09 14:14:40 +00:00
## Create a query
2020-12-24 22:12:44 +00:00
2022-09-09 14:14:40 +00:00
Queries in Fleet allow you to ask a multitude of questions to help you manage, monitor, and identify threats on your devices.
2021-09-15 02:19:21 +00:00
2022-09-09 14:14:40 +00:00
If you're unsure of what to ask, head to Fleet's [query library ](https://fleetdm.com/queries ). There you'll find common queries that have been tested by members of our community.
2020-12-24 22:12:44 +00:00
2022-09-09 14:14:40 +00:00
How to create a query:
2020-12-24 22:12:44 +00:00
2022-09-09 14:14:40 +00:00
1. In the top navigation, select **Queries** .
2020-12-24 22:12:44 +00:00
2022-09-09 14:14:40 +00:00
2. Select **Create new query** to navigate to the query console.
2020-12-24 22:12:44 +00:00
2022-09-09 14:14:40 +00:00
3. In the **Query** field, enter your query. Remember, you can find common queries in [Fleet's library ](https://fleetdm.com/queries ).
2020-12-24 22:12:44 +00:00
2022-09-09 14:14:40 +00:00
4. Select **Save** , enter a name and description for your query, and select **Save query** .
2020-12-24 22:12:44 +00:00
2022-09-09 14:14:40 +00:00
## Run a query
2020-12-24 22:12:44 +00:00
2022-09-09 14:14:40 +00:00
Run a live query to get answers for all of your online hosts.
2020-12-24 22:12:44 +00:00
2022-09-09 14:14:40 +00:00
> Offline hosts won’
2020-12-24 22:12:44 +00:00
2022-09-09 14:14:40 +00:00
How to run a query:
2020-12-24 22:12:44 +00:00
2022-09-09 14:14:40 +00:00
1. In the top navigation, select **Queries** .
2021-06-24 17:59:41 +00:00
2022-09-09 14:14:40 +00:00
2. In the **Queries** table, find the query you'd like to run and select the query's name to navigate to the query console.
2021-06-24 17:59:41 +00:00
2022-09-09 14:14:40 +00:00
3. Select **Run query** to navigate to the target picker. Select **All hosts** and select **Run** . This will run the query against all your hosts.
2021-06-24 17:59:41 +00:00
2022-09-09 14:14:40 +00:00
The query may take several seconds to complete because Fleet has to wait for the hosts to respond with results.
2021-06-24 17:59:41 +00:00
2022-09-09 14:14:40 +00:00
> Fleet's query response time is inherently variable because of osquery's heartbeat response time. This helps prevent performance issues on hosts.
2021-06-24 17:59:41 +00:00
2022-09-09 14:14:40 +00:00
## Schedule a query
2021-06-24 17:59:41 +00:00
2022-09-22 21:41:57 +00:00
Fleet allows you to schedule queries. Scheduled queries will send data to your log destination automatically.
2022-02-18 15:25:53 +00:00
2022-10-26 23:26:49 +00:00
The default log destination, **filesystem** , is good to start. With this set, data is sent to the `/var/log/osquery/osqueryd.snapshots.log` file on each host’ log destinations page ](https://fleetdm.com/docs/using-fleet/log-destinations ).
2021-06-24 17:59:41 +00:00
2022-09-09 14:14:40 +00:00
How to schedule a query:
2021-06-24 17:59:41 +00:00
2022-09-09 14:14:40 +00:00
1. In the top navigation, select **Schedule** .
2021-06-24 17:59:41 +00:00
2022-09-09 14:14:40 +00:00
2. Select **Schedule a query** .
2021-06-24 17:59:41 +00:00
2022-09-09 14:14:40 +00:00
3. Select the **Select query** dropdown and choose the query that you'd like to run on a schedule.
2021-06-24 17:59:41 +00:00
2022-09-09 14:14:40 +00:00
4. Select the **Frequency** dropdown and choose how often you'd like the query to run and send results to your log destination. **Every hour** is a good frequency to start. You can change this later.
2021-06-24 17:59:41 +00:00
2022-09-09 14:14:40 +00:00
5. Select **Schedule** .
2021-06-24 17:59:41 +00:00
2023-01-04 19:16:34 +00:00
With Fleet Premium, you can schedule queries for groups of hosts using [the teams feature ](https://fleetdm.com/docs/using-fleet/teams ). This allows you to collect different data for each group.
2022-09-22 21:41:57 +00:00
2023-01-04 19:16:34 +00:00
> In Fleet Premium, groups of hosts are called "teams."
2022-09-22 21:41:57 +00:00
How to use teams to schedule queries for a group of hosts:
2022-10-26 23:26:49 +00:00
1. If you haven't already, first [create a team ](https://fleetdm.com/docs/using-fleet/teams#create-a-team ) and [transfer hosts ](https://fleetdm.com/docs/using-fleet/teams#transfer-hosts-to-a-team ) to the team.
2022-09-22 21:41:57 +00:00
2. In the **Teams** dropdown below the top navigation, select the team.
3. Follow the "How to schedule a query" instructions above.
2022-09-09 14:14:40 +00:00
## Update agent options
<!-- Heading is kept so that the link from the Fleet UI still works -->
< span id = "configuring-agent-options" name = "configuring-agent-options" > < / span >
Fleet allows you to update the settings of the agent installed on all your hosts at once. In Fleet, these settings are called "agent options."
The default agent options are good to start.
How to update agent options:
2022-10-26 23:26:49 +00:00
1. In the top navigation, select your avatar and select **Settings** . Only users with the [admin role ](https://fleetdm.com/docs/using-fleet/permissions ) can access the pages in **Settings** .
2022-09-09 14:14:40 +00:00
2. On the Organization settings page, select **Agent options** on the left side of the page.
2023-02-13 15:45:37 +00:00
3. Use Fleet's YAML editor to configure your osquery options, decorators, or set command line flags.
To see all agent options, head to the [agent options documentation ](https://fleetdm.com/docs/using-fleet/configuration-files#agent-options ).
2022-09-09 14:14:40 +00:00
4. Place your new setting one level below the `options` key. The new setting's key should be below and one tab to the right of `options` .
5. Select **Save** .
2023-02-13 15:45:37 +00:00
The agents may take several seconds to update because Fleet has to wait for the hosts to check in. Additionally, hosts enrolled with removed enroll secrets must properly rotate their secret to have the new changes take effect.
Put live documentation on fleetdm.com (#1380)
* minor clarifications
* further expand comments and stubs
* absorb custom titles embedded in metadata, plus further comment expansion and a followup fix for something i left hanging in f8cbc14829d91e7577c63307fd9c4346dbc229bb
* Skip non-markdown files and use real path maths
* Prep for running in parallel (Remove `continue` so this isn't dependent on the `for` loop)
* determine + track unique HTML output paths
* Compile markdown + spit out real HTML (without involving any but the crunchy nougaty dependency from the very center of everything)
* add md metadata parsing
* add timestamp
* Update build-static-content.js
* attach misc metadata as "other"
* how doc images might should work (this also aligns with how the select few images in the sailsjs.com docs work)
* add file extension to generated HTML files
* "options"=>"meta"
* Make "htmlId" useful for alphabetically sorting pages within their bottom-level section
See recent comments on https://github.com/fleetdm/fleet/issues/706 for more information.
* list out the most important, specific build-time transformations
* Omit ordering prefixes like "1-" from expected content page URLs
* add a little zone for consolidating backwards compatible permalinks
* interpret README.md files by mapping their URLs to match their containing folder
* clarify plan for images
* decrease probability of collisions
* Make capitalization smarter using known acronyms, proper nouns, and a smarter numeric word trim
* Resolve app path in case pwd is different in prod
* Delete HTML output from previous runs, if any
* condense the stuff about github emojis
* got rid of "permalink" thing, since id gets automatically attached during markdown compilation anyway
Also "permalink" isn't even a good name for what this is. See https://github.com/fleetdm/fleet/issues/706#issuecomment-884693931
* …and that eliminates the need for the cheerio dep!
* Bring in bubbles+syntax highlighting into build script, and remove sails.helpers.compileMarkdownContent() -- this leaves link munging as a todo though
* trivial (condense comments)
* Remove unused code from toHtml() helper
* Implemented target="_blank" and root-relative-ification
* remove todo about emojis after testing and verifying it works just fine
* trivial: add link to comment in case github emojis matter at some point
* consolidate "what ifs" in comments
* Leave this up to Sarah, for now. (Either bring it back here in the build script or do it all on the frontend)
* Enable /docs and /handbook routes, and add example of a redirect for a legacy/deprecated URL
* implement routing
* Upgrade deps
this takes advantages of the latest work from @eashaw, @rachaelshaw, and the rest of the Sails community
* tweak var names and comments
* make readme pages use their folder names to determine their default (fallback) titles
as discussed in https://github.com/fleetdm/fleet/issues/706#issuecomment-884788002
* first (good enough for now) pass at link rewriting
as discussed in https://github.com/fleetdm/fleet/issues/706#issuecomment-884742072
* Adapt docs pages to build from markdown output
* Continue work on docs pages
* Add landing page
* Remove unused code; minor changes
* Replace regex
* fixes https://github.com/fleetdm/fleet/pull/1380#issuecomment-891429581
* Don't rely on "path" being a global var
* Syle fleetdm doc pages
* Continue work on docs pages
* Fix linting error
* Disable lesshint style warnings
* parasails-has-no-page-script attribute
Added a parasails-has-no-page-script attribute to the docs template, added a check for that attribute in parasails.js and removed the empty page script for 498
* bring in latest parasails dep
* trivial
* Update links to dedupe and not open in new tab unless actually external
* Disable handbook for now til styles are ready
* fix CTA links
* trivial
* make sitemap.xml get served in prod
* hide search boxes for now, remove hard-coded version and make releases open in new tab
* clean out unused files
Co-authored-by: gillespi314 <73313222+gillespi314@users.noreply.github.com>
Co-authored-by: eashaw <caglc@live.com>
2021-08-18 00:55:13 +00:00
< meta name = "title" value = "Fleet UI" >
2022-02-23 18:17:55 +00:00
< meta name = "pageOrderInSection" value = "200" >
