2020-12-24 22:00:22 +00:00
# Configuration
2021-04-19 18:58:44 +00:00
2020-12-24 22:00:22 +00:00
## Configuring the Fleet binary
2017-01-31 01:51:10 +00:00
2022-07-21 18:52:53 +00:00
For information on how to run the `fleet` binary, find detailed usage information by running `fleet --help` . This document is a more detailed version of the data presented in the help output text. If you prefer to use a CLI instead of a web browser, we hope you like the binary interface of the Fleet application!
2017-01-31 01:51:10 +00:00
2020-12-24 22:00:22 +00:00
### High-level configuration overview
2017-01-31 01:51:10 +00:00
2022-07-21 18:52:53 +00:00
In order to get the most out of running the Fleet server, it is helpful to establish a mutual understanding of what the desired architecture looks like and what it's trying to accomplish.
2017-01-31 01:51:10 +00:00
2017-09-21 22:51:26 +00:00
Your Fleet server's two main purposes are:
2017-01-31 01:51:10 +00:00
- To serve as your [osquery TLS server ](https://osquery.readthedocs.io/en/stable/deployment/remote/ )
2020-12-10 19:26:00 +00:00
- To serve the Fleet web UI, which allows you to manage osquery configuration, query hosts, etc.
2017-01-31 01:51:10 +00:00
2022-07-21 18:52:53 +00:00
The Fleet server allows you to persist configuration, manage users, etc. Thus, it needs a database. Fleet uses MySQL and requires you to supply configurations to connect to a MySQL server. It is also possible to configure your connection to a MySQL replica in addition to the primary. This is for reading only. Fleet also uses Redis to perform more high-speed data access action throughout the applications lifecycle (for example, distributed query result ingestion). Thus, Fleet also requires that you supply Redis connection configurations.
2021-05-20 16:21:20 +00:00
2022-07-21 18:52:53 +00:00
Fleet can scale to hundreds of thousands of devices with a single Redis instance and is also compatible with Redis Cluster. Fleet does not support Redis Sentinel.
2017-01-31 01:51:10 +00:00
2022-07-21 18:52:53 +00:00
Since Fleet is a web application, when you run it there are other configurations that must be defined, such as:
2017-01-31 01:51:10 +00:00
2017-09-21 22:51:26 +00:00
- The TLS certificates that Fleet should use to terminate TLS.
2017-01-31 01:51:10 +00:00
2021-05-28 20:47:32 +00:00
When deploying Fleet, mitigate DoS attacks as you would when deploying any app.
2017-09-21 22:51:26 +00:00
Since Fleet is an osquery TLS server, you are also able to define configurations that can customize your experience there, such as:
2017-01-31 01:51:10 +00:00
- The destination of the osquery status and result logs on the local filesystem
- Various details about the refresh/check-in intervals for your hosts
2020-12-24 22:00:22 +00:00
### Commands
2017-01-31 01:51:10 +00:00
2022-07-21 18:52:53 +00:00
The `fleet` binary contains several "commands." Similarly to how `git` has many commands (`git status`, `git commit` , etc.), the `fleet` binary accepts the following commands:
2017-01-31 01:51:10 +00:00
2017-10-06 01:33:41 +00:00
- `fleet prepare db`
- `fleet serve`
- `fleet version`
2022-04-12 18:48:15 +00:00
- `fleet config_dump`
2017-01-31 01:51:10 +00:00
2020-12-24 22:00:22 +00:00
### Options
2017-01-31 01:51:10 +00:00
2020-12-24 22:00:22 +00:00
#### How do you specify options?
2017-01-31 01:51:10 +00:00
2022-07-21 18:52:53 +00:00
You can specify options in the order of precedence via
2017-01-31 01:51:10 +00:00
2023-02-13 15:45:37 +00:00
1. a configuration file (in YAML format)
2. environment variables
3. command-line flags
2017-01-31 01:51:10 +00:00
2017-09-21 22:51:26 +00:00
For example, all of the following ways of launching Fleet are equivalent:
2017-01-31 01:51:10 +00:00
2023-02-13 15:45:37 +00:00
##### 1. Using a YAML config file
2017-01-31 01:51:10 +00:00
```
2020-11-12 21:50:08 +00:00
echo '
2022-03-31 15:34:58 +00:00
2017-01-31 01:51:10 +00:00
mysql:
address: 127.0.0.1:3306
2021-06-04 23:51:18 +00:00
database: fleet
2017-01-31 01:51:10 +00:00
username: root
password: toor
redis:
address: 127.0.0.1:6379
server:
cert: /tmp/server.cert
key: /tmp/server.key
logging:
json: true
2021-06-04 23:51:18 +00:00
' > /tmp/fleet.yml
fleet serve --config /tmp/fleet.yml
2017-01-31 01:51:10 +00:00
```
2022-10-26 23:26:49 +00:00
For more information on using YAML configuration files with fleet, please see the [configuration files ](https://fleetdm.com/docs/using-fleet/configuration-files ) documentation.
2022-03-31 15:34:58 +00:00
2023-02-13 15:45:37 +00:00
##### 2. Using only environment variables
```
FLEET_MYSQL_ADDRESS=127.0.0.1:3306 \
FLEET_MYSQL_DATABASE=fleet \
FLEET_MYSQL_USERNAME=root \
FLEET_MYSQL_PASSWORD=toor \
FLEET_REDIS_ADDRESS=127.0.0.1:6379 \
FLEET_SERVER_CERT=/tmp/server.cert \
FLEET_SERVER_KEY=/tmp/server.key \
FLEET_LOGGING_JSON=true \
/usr/bin/fleet serve
```
##### 3. Using only CLI flags
```
/usr/bin/fleet serve \
--mysql_address=127.0.0.1:3306 \
--mysql_database=fleet \
--mysql_username=root \
--mysql_password=toor \
--redis_address=127.0.0.1:6379 \
--server_cert=/tmp/server.cert \
--server_key=/tmp/server.key \
--logging_json
```
2021-10-07 14:40:22 +00:00
### What are the options?
2017-01-31 01:51:10 +00:00
2021-02-11 23:36:58 +00:00
Note that all option names can be converted consistently from flag name to environment variable and visa-versa. For example, the `--mysql_address` flag would be the `FLEET_MYSQL_ADDRESS` . Further, specifying the `mysql_address` option in the config would follow the pattern:
2017-01-31 01:51:10 +00:00
```
mysql:
address: 127.0.0.1:3306
```
2021-09-01 19:50:52 +00:00
And `mysql_read_replica_address` would be:
```
mysql_read_replica:
address: 127.0.0.1:3307
```
2022-07-21 18:52:53 +00:00
Basically, just capitalize the option and prepend `FLEET_` to it to get the environment variable. The conversion works the same the opposite way.
2017-01-31 01:51:10 +00:00
2021-08-04 16:31:24 +00:00
All duration-based settings accept valid time units of `s` , `m` , `h` .
2021-10-07 14:40:22 +00:00
#### MySQL
2017-01-31 01:51:10 +00:00
2022-07-21 18:52:53 +00:00
This section describes the configuration options for the primary. Suppose you also want to set up a read replica. In that case the options are the same, except that the YAML section is `mysql_read_replica` , and the flags have the `mysql_read_replica_` prefix instead of `mysql_` (the corresponding environment variables follow the same transformation). Note that there is no default value for `mysql_read_replica_address` , it must be set explicitly for Fleet to use a read replica, and it is recommended in that case to set a non-zero value for `mysql_read_replica_conn_max_lifetime` as in some environments, the replica's address may dynamically change to point
2021-09-22 18:44:45 +00:00
from the primary to an actual distinct replica based on auto-scaling options, so existing idle connections need to be recycled
periodically.
2021-09-01 19:50:52 +00:00
2021-10-07 14:40:22 +00:00
##### mysql_address
2017-01-31 01:51:10 +00:00
2022-07-21 18:52:53 +00:00
For the address of the MySQL server that Fleet should connect to, include the hostname and port.
2017-01-31 01:51:10 +00:00
- Default value: `localhost:3306`
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_MYSQL_ADDRESS`
2017-01-31 01:51:10 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
mysql:
address: localhost:3306
```
2017-01-31 01:51:10 +00:00
2021-10-07 14:40:22 +00:00
##### mysql_database
2017-01-31 01:51:10 +00:00
2022-07-21 18:52:53 +00:00
This is the name of the MySQL database which Fleet will use.
2017-01-31 01:51:10 +00:00
2021-06-06 23:58:23 +00:00
- Default value: `fleet`
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_MYSQL_DATABASE`
2017-01-31 01:51:10 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
mysql:
2021-06-06 23:58:23 +00:00
database: fleet
2021-04-19 18:58:44 +00:00
```
2017-01-31 01:51:10 +00:00
2021-10-07 14:40:22 +00:00
##### mysql_username
2017-01-31 01:51:10 +00:00
The username to use when connecting to the MySQL instance.
2021-06-06 23:58:23 +00:00
- Default value: `fleet`
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_MYSQL_USERNAME`
2017-01-31 01:51:10 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
mysql:
2021-06-06 23:58:23 +00:00
username: fleet
2021-04-19 18:58:44 +00:00
```
2017-01-31 01:51:10 +00:00
2021-10-07 14:40:22 +00:00
##### mysql_password
2017-01-31 01:51:10 +00:00
The password to use when connecting to the MySQL instance.
2021-06-06 23:58:23 +00:00
- Default value: `fleet`
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_MYSQL_PASSWORD`
2017-01-31 01:51:10 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
mysql:
2021-06-06 23:58:23 +00:00
password: fleet
2021-04-19 18:58:44 +00:00
```
2017-01-31 01:51:10 +00:00
2021-10-07 14:40:22 +00:00
##### mysql_password_path
2021-01-04 15:58:43 +00:00
File path to a file that contains the password to use when connecting to the MySQL instance.
- Default value: `""`
2021-05-21 15:41:13 +00:00
- Environment variable: `FLEET_MYSQL_PASSWORD_PATH`
2021-01-04 15:58:43 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
mysql:
2021-06-22 21:31:26 +00:00
password_path: '/run/secrets/fleetdm-mysql-password'
2021-04-19 18:58:44 +00:00
```
2021-01-04 15:58:43 +00:00
2021-10-07 14:40:22 +00:00
##### mysql_tls_ca
2017-02-17 00:14:00 +00:00
The path to a PEM encoded certificate of MYSQL's CA for client certificate authentication.
- Default value: none
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_MYSQL_TLS_CA`
2017-02-17 00:14:00 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
mysql:
tls_ca: /path/to/server-ca.pem
```
2017-02-17 00:14:00 +00:00
2021-10-07 14:40:22 +00:00
##### mysql_tls_cert
2017-02-17 00:14:00 +00:00
2022-07-21 18:52:53 +00:00
The path to a PEM encoded certificate is used for TLS authentication.
2017-02-17 00:14:00 +00:00
- Default value: none
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_MYSQL_TLS_CERT`
2017-02-17 00:14:00 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
mysql:
tls_cert: /path/to/certificate.pem
```
2017-02-17 00:14:00 +00:00
2021-10-07 14:40:22 +00:00
##### mysql_tls_key
2017-02-17 00:14:00 +00:00
2023-02-13 15:45:37 +00:00
The path to a PEM encoded private key used for TLS authentication.
2017-02-17 00:14:00 +00:00
- Default value: none
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_MYSQL_TLS_KEY`
2017-02-17 00:14:00 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
mysql:
tls_key: /path/to/key.pem
```
2017-02-17 00:14:00 +00:00
2021-10-07 14:40:22 +00:00
##### mysql_tls_config
2017-02-17 00:14:00 +00:00
2022-07-21 18:52:53 +00:00
The TLS value in an MYSQL DSN. Can be `true` ,`false`,`skip-verify`, or the CN value of the certificate.
2017-02-17 00:14:00 +00:00
- Default value: none
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_MYSQL_TLS_CONFIG`
2017-02-17 00:14:00 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
mysql:
tls_config: true
```
2017-02-17 00:14:00 +00:00
2021-10-07 14:40:22 +00:00
##### mysql_tls_server_name
2017-02-17 00:14:00 +00:00
2022-07-21 18:52:53 +00:00
This is the server name or IP address used by the client certificate.
2017-02-17 00:14:00 +00:00
- Default value: none
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_MYSQL_TLS_SERVER_NAME`
2017-02-17 00:14:00 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
mysql:
2021-10-20 14:09:18 +00:00
server_name: 127.0.0.1
2021-04-19 18:58:44 +00:00
```
2017-02-17 00:14:00 +00:00
2021-10-07 14:40:22 +00:00
##### mysql_max_open_conns
2018-11-01 21:43:24 +00:00
2022-07-21 18:52:53 +00:00
The maximum open connections to the database.
2018-11-01 21:43:24 +00:00
- Default value: 50
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_MYSQL_MAX_OPEN_CONNS`
2018-11-01 21:43:24 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
mysql:
max_open_conns: 50
```
2018-11-01 21:43:24 +00:00
2021-10-07 14:40:22 +00:00
##### mysql_max_idle_conns
2018-11-01 21:43:24 +00:00
2022-07-21 18:52:53 +00:00
The maximum idle connections to the database. This value should be equal to or less than `mysql_max_open_conns` .
2018-11-01 21:43:24 +00:00
- Default value: 50
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_MYSQL_MAX_IDLE_CONNS`
2018-11-01 21:43:24 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
mysql:
max_idle_conns: 50
```
2018-11-01 21:43:24 +00:00
2021-10-07 14:40:22 +00:00
##### mysql_conn_max_lifetime
2020-07-30 16:00:42 +00:00
2022-07-21 18:52:53 +00:00
The maximum amount of time, in seconds, a connection may be reused.
2020-07-30 16:00:42 +00:00
- Default value: 0 (Unlimited)
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_MYSQL_CONN_MAX_LIFETIME`
2020-07-30 16:00:42 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
mysql:
conn_max_lifetime: 50
```
2020-07-30 16:00:42 +00:00
2022-07-20 16:10:03 +00:00
##### mysql_sql_mode
Sets the connection `sql_mode` . See [MySQL Reference ](https://dev.mysql.com/doc/refman/5.7/en/sql-mode.html ) for more details.
This setting should not usually be used.
- Default value: `""`
- Environment variable: `FLEET_MYSQL_SQL_MODE`
- Config file format:
```
mysql:
sql_mode: ANSI
```
2022-03-31 15:34:58 +00:00
##### Example YAML
```yaml
2022-09-08 21:57:38 +00:00
mysql:
address: localhost:3306
database: fleet
password: fleet
max_open_conns: 50
max_idle_conns: 50
conn_max_lifetime: 50
2022-03-31 15:34:58 +00:00
```
2021-10-07 14:40:22 +00:00
#### Redis
2017-01-31 01:51:10 +00:00
2022-07-21 18:52:53 +00:00
Note that to test a TLS connection to a Redis instance, run the
`tlsconnect` Go program in `tools/redis-tests` , e.g., from the root of the repository:
2021-10-20 14:09:18 +00:00
```
$ go run ./tools/redis-tests/tlsconnect.go -addr < redis_address > -cacert < redis_tls_ca > -cert < redis_tls_cert > -key < redis_tls_key >
# run `go run ./tools/redis-tests/tlsconnect.go -h` for the full list of supported flags
```
2022-07-21 18:52:53 +00:00
By default, this will set up a Redis pool for that configuration and execute a
2021-10-20 14:09:18 +00:00
`PING` command with a TLS connection, printing any error it encounters.
2021-10-07 14:40:22 +00:00
##### redis_address
2017-01-31 01:51:10 +00:00
2022-07-21 18:52:53 +00:00
For the address of the Redis server that Fleet should connect to, include the hostname and port.
2017-01-31 01:51:10 +00:00
- Default value: `localhost:6379`
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_REDIS_ADDRESS`
2017-01-31 01:51:10 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
redis:
address: 127.0.0.1:7369
```
2017-01-31 01:51:10 +00:00
2022-12-14 13:53:38 +00:00
##### redis_username
The username to use when connecting to the Redis instance.
- Default value: `<empty>`
- Environment variable: `FLEET_REDIS_USERNAME`
- Config file format:
```
redis:
username: foobar
```
2021-10-07 14:40:22 +00:00
##### redis_password
2017-01-31 01:51:10 +00:00
The password to use when connecting to the Redis instance.
- Default value: `<empty>`
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_REDIS_PASSWORD`
2017-01-31 01:51:10 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
redis:
password: foobar
```
2021-10-07 14:40:22 +00:00
##### redis_database
2020-07-30 15:57:25 +00:00
The database to use when connecting to the Redis instance.
- Default value: `0`
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_REDIS_DATABASE`
2020-07-30 15:57:25 +00:00
- Config file format:
```
redis:
database: 14
```
2021-05-21 15:41:13 +00:00
2021-10-25 18:47:53 +00:00
##### redis_use_tls
Use a TLS connection to the Redis server.
- Default value: `false`
- Environment variable: `FLEET_REDIS_USE_TLS`
- Config file format:
```
redis:
use_tls: true
```
2021-10-07 14:40:22 +00:00
##### redis_duplicate_results
2021-05-13 23:01:31 +00:00
2023-02-13 15:45:37 +00:00
Whether or not to duplicate Live Query results to another Redis channel named `LQDuplicate` . This is useful in a scenario involving shipping the Live Query results outside of Fleet, near real-time.
2021-05-13 23:01:31 +00:00
- Default value: `false`
- Environment variable: `FLEET_REDIS_DUPLICATE_RESULTS`
- Config file format:
```
redis:
duplicate_results: true
```
2017-01-31 01:51:10 +00:00
2021-10-07 14:40:22 +00:00
##### redis_connect_timeout
2021-09-08 20:55:12 +00:00
2021-09-15 12:50:32 +00:00
Timeout for redis connection.
2021-09-08 20:55:12 +00:00
- Default value: 5s
- Environment variable: `FLEET_REDIS_CONNECT_TIMEOUT`
- Config file format:
```
redis:
connect_timeout: 10s
```
2021-10-07 14:40:22 +00:00
##### redis_keep_alive
2021-09-08 20:55:12 +00:00
2022-07-21 18:52:53 +00:00
The interval between keep-alive probes.
2021-09-08 20:55:12 +00:00
- Default value: 10s
- Environment variable: `FLEET_REDIS_KEEP_ALIVE`
- Config file format:
```
redis:
keep_alive: 30s
```
2021-10-07 14:40:22 +00:00
##### redis_connect_retry_attempts
2021-09-15 12:50:32 +00:00
2022-07-21 18:52:53 +00:00
The maximum number of attempts to retry a failed connection to a Redis node. Only
certain types of errors are retried, such as connection timeouts.
2021-09-15 12:50:32 +00:00
- Default value: 0 (no retry)
- Environment variable: `FLEET_REDIS_CONNECT_RETRY_ATTEMPTS`
- Config file format:
```
redis:
connect_retry_attempts: 2
```
2021-10-07 14:40:22 +00:00
##### redis_cluster_follow_redirections
2021-09-15 12:50:32 +00:00
Whether or not to automatically follow redirection errors received from the
Redis server. Applies only to Redis Cluster setups, ignored in standalone
Redis. In Redis Cluster, keys can be moved around to different nodes when the
cluster is unstable and reorganizing the data. With this configuration option
set to true, those (typically short and transient) redirection errors can be
handled transparently instead of ending in an error.
- Default value: false
- Environment variable: `FLEET_REDIS_CLUSTER_FOLLOW_REDIRECTIONS`
- Config file format:
```
redis:
cluster_follow_redirections: true
```
2021-10-18 13:32:17 +00:00
##### redis_cluster_read_from_replica
Whether or not to prefer reading from a replica when possible. Applies only
to Redis Cluster setups, ignored in standalone Redis.
- Default value: false
- Environment variable: `FLEET_REDIS_CLUSTER_READ_FROM_REPLICA`
- Config file format:
```
redis:
cluster_read_from_replica: true
```
2021-10-20 14:09:18 +00:00
##### redis_tls_cert
2022-07-21 18:52:53 +00:00
This is the path to a PEM-encoded certificate used for TLS authentication.
2021-10-20 14:09:18 +00:00
- Default value: none
- Environment variable: `FLEET_REDIS_TLS_CERT`
- Config file format:
```
redis:
tls_cert: /path/to/certificate.pem
```
##### redis_tls_key
2022-07-21 18:52:53 +00:00
This is the path to a PEM-encoded private key used for TLS authentication.
2021-10-20 14:09:18 +00:00
- Default value: none
- Environment variable: `FLEET_REDIS_TLS_KEY`
- Config file format:
```
redis:
tls_key: /path/to/key.pem
```
##### redis_tls_ca
2022-07-21 18:52:53 +00:00
This is the path to a PEM-encoded certificate of Redis' CA for client certificate authentication.
2021-10-20 14:09:18 +00:00
- Default value: none
- Environment variable: `FLEET_REDIS_TLS_CA`
- Config file format:
```
redis:
tls_ca: /path/to/server-ca.pem
```
##### redis_tls_server_name
The server name or IP address used by the client certificate.
- Default value: none
- Environment variable: `FLEET_REDIS_TLS_SERVER_NAME`
- Config file format:
```
redis:
2022-02-03 04:32:46 +00:00
tls_server_name: 127.0.0.1
2021-10-20 14:09:18 +00:00
```
##### redis_tls_handshake_timeout
The timeout for the Redis TLS handshake part of the connection. A value of 0 means no timeout.
- Default value: 10s
- Environment variable: `FLEET_REDIS_TLS_HANDSHAKE_TIMEOUT`
- Config file format:
```
redis:
tls_handshake_timeout: 10s
```
##### redis_max_idle_conns
2022-07-21 18:52:53 +00:00
The maximum idle connections to Redis. This value should be equal to or less than `redis_max_open_conns` .
2021-10-20 14:09:18 +00:00
- Default value: 3
- Environment variable: `FLEET_REDIS_MAX_IDLE_CONNS`
- Config file format:
```
redis:
max_idle_conns: 50
```
##### redis_max_open_conns
2022-07-21 18:52:53 +00:00
The maximum open connections to Redis. A value of 0 means no limit.
2021-10-20 14:09:18 +00:00
- Default value: 0
- Environment variable: `FLEET_REDIS_MAX_OPEN_CONNS`
- Config file format:
```
redis:
max_open_conns: 100
```
##### redis_conn_max_lifetime
2022-07-21 18:52:53 +00:00
The maximum time a Redis connection may be reused. A value of 0 means no limit.
2021-10-20 14:09:18 +00:00
- Default value: 0 (Unlimited)
- Environment variable: `FLEET_REDIS_CONN_MAX_LIFETIME`
- Config file format:
```
redis:
conn_max_lifetime: 30m
```
##### redis_idle_timeout
2022-07-21 18:52:53 +00:00
The maximum time a Redis connection may stay idle. A value of 0 means no limit.
2021-10-20 14:09:18 +00:00
- Default value: 240s
- Environment variable: `FLEET_REDIS_IDLE_TIMEOUT`
- Config file format:
```
redis:
idle_timeout: 5m
```
2021-11-01 18:13:16 +00:00
##### redis_conn_wait_timeout
2022-07-21 18:52:53 +00:00
The maximum time to wait for a Redis connection if the max_open_conns
2021-11-01 18:13:16 +00:00
limit is reached. A value of 0 means no wait. This is ignored if Redis is not
running in cluster mode.
- Default value: 0
- Environment variable: `FLEET_REDIS_CONN_WAIT_TIMEOUT`
- Config file format:
```
redis:
conn_wait_timeout: 1s
```
2022-01-11 22:08:39 +00:00
##### redis_read_timeout
2022-07-21 18:52:53 +00:00
The maximum time to wait to receive a response from a Redis server.
2022-01-11 22:08:39 +00:00
A value of 0 means no timeout.
- Default value: 10s
- Environment variable: `FLEET_REDIS_READ_TIMEOUT`
- Config file format:
```
redis:
read_timeout: 5s
```
##### redis_write_timeout
2022-07-21 18:52:53 +00:00
The maximum time to wait to send a command to a Redis server.
2022-01-11 22:08:39 +00:00
A value of 0 means no timeout.
- Default value: 10s
- Environment variable: `FLEET_REDIS_WRITE_TIMEOUT`
- Config file format:
```
redis:
write_timeout: 5s
```
2022-03-31 15:34:58 +00:00
##### Example YAML
```yaml
2022-09-08 21:57:38 +00:00
redis:
address: localhost:7369
password: foobar
database: 14
connect_timeout: 10s
connect_retry_attempts: 2
2022-03-31 15:34:58 +00:00
```
### Server
2017-01-31 01:51:10 +00:00
2021-10-07 14:40:22 +00:00
##### server_address
2017-01-31 01:51:10 +00:00
2019-01-24 17:39:32 +00:00
The address to serve the Fleet webserver.
2017-01-31 01:51:10 +00:00
- Default value: `0.0.0.0:8080`
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_SERVER_ADDRESS`
2017-01-31 01:51:10 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
server:
address: 0.0.0.0:443
```
2017-01-31 01:51:10 +00:00
2021-10-07 14:40:22 +00:00
##### server_cert
2017-01-31 01:51:10 +00:00
The TLS cert to use when terminating TLS.
2022-10-26 23:26:49 +00:00
See [TLS certificate considerations ](https://fleetdm.com/docs/deploying/introduction#tls-certificate ) for more information about certificates and Fleet.
2021-04-19 18:58:44 +00:00
2021-06-06 23:58:23 +00:00
- Default value: `./tools/osquery/fleet.crt`
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_SERVER_CERT`
2017-01-31 01:51:10 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
server:
2021-06-06 23:58:23 +00:00
cert: /tmp/fleet.crt
2021-04-19 18:58:44 +00:00
```
2017-01-31 01:51:10 +00:00
2021-10-07 14:40:22 +00:00
##### server_key
2017-01-31 01:51:10 +00:00
The TLS key to use when terminating TLS.
2021-06-06 23:58:23 +00:00
- Default value: `./tools/osquery/fleet.key`
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_SERVER_KEY`
2017-01-31 01:51:10 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
server:
2021-06-06 23:58:23 +00:00
key: /tmp/fleet.key
2021-04-19 18:58:44 +00:00
```
2017-01-31 01:51:10 +00:00
2021-10-07 14:40:22 +00:00
##### server_tls
2017-01-31 01:51:10 +00:00
Whether or not the server should be served over TLS.
- Default value: `true`
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_SERVER_TLS`
2017-01-31 01:51:10 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
server:
tls: false
```
2017-01-31 01:51:10 +00:00
2021-10-07 14:40:22 +00:00
##### server_tls_compatibility
2019-01-07 23:03:51 +00:00
2021-01-20 16:34:14 +00:00
Configures the TLS settings for compatibility with various user agents. Options are `modern` and `intermediate` . These correspond to the compatibility levels [defined by the Mozilla OpSec team ](https://wiki.mozilla.org/index.php?title=Security/Server_Side_TLS&oldid=1229478 ) (updated July 24, 2020).
2019-01-07 23:03:51 +00:00
2021-02-03 19:48:48 +00:00
- Default value: `intermediate`
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_SERVER_TLS_COMPATIBILITY`
2019-01-07 23:03:51 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
server:
2021-06-04 15:44:36 +00:00
tls_compatibility: intermediate
2021-04-19 18:58:44 +00:00
```
2021-10-07 14:40:22 +00:00
##### server_url_prefix
2019-10-16 23:40:45 +00:00
Sets a URL prefix to use when serving the Fleet API and frontend. Prefixes should be in the form `/apps/fleet` (no trailing slash).
2022-02-09 06:36:06 +00:00
Note that some other configurations may need to be changed when modifying the URL prefix. In particular, URLs that are provided to osquery via flagfile, the configuration served by Fleet, the URL prefix used by `fleetctl` , and the redirect URL set with an identity provider.
2019-10-16 23:40:45 +00:00
- Default value: Empty (no prefix set)
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_SERVER_URL_PREFIX`
2019-10-16 23:40:45 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
server:
url_prefix: /apps/fleet
```
2019-01-07 23:03:51 +00:00
2021-10-07 14:40:22 +00:00
##### server_keepalive
2021-05-08 00:29:54 +00:00
Controls the server side http keep alive property.
Turning off keepalives has helped reduce outstanding TCP connections in some deployments.
- Default value: true
- Environment variable: `FLEET_SERVER_KEEPALIVE`
- Config file format:
```
server:
keepalive: true
```
2023-03-28 05:23:29 +00:00
##### server_websockets_allow_unsafe_origin
Controls the servers websocket origin check. If your Fleet server is behind a reverse proxy,
the Origin header may not reflect the client's true origin. In this case, you might need to
disable the origin header (by setting this configuration to `true` )
check or configure your reverse proxy to forward the correct Origin header.
Setting to true will disable the origin check.
- Default value: false
- Environment variable: `FLEET_SERVER_WEBSOCKETS_ALLOW_UNSAFE_ORIGIN`
- Config file format:
```
server:
websockets_allow_unsafe_origin: true
```
2022-03-31 15:34:58 +00:00
##### Example YAML
```yaml
2022-09-08 21:57:38 +00:00
server:
address: 0.0.0.0:443
password: foobar
cert: /tmp/fleet.crt
key: /tmp/fleet.key
invite_token_validity_period: 1d
2022-03-31 15:34:58 +00:00
```
2021-10-07 14:40:22 +00:00
#### Auth
2017-01-31 01:51:10 +00:00
2021-10-07 14:40:22 +00:00
##### auth_bcrypt_cost
2017-01-31 01:51:10 +00:00
The bcrypt cost to use when hashing user passwords.
- Default value: `12`
2021-05-21 15:41:13 +00:00
- Environment variable: `FLEET_AUTH_BCRYPT_COST`
2017-01-31 01:51:10 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
auth:
bcrypt_cost: 14
```
2017-01-31 01:51:10 +00:00
2021-10-07 14:40:22 +00:00
##### auth_salt_key_size
2017-01-31 01:51:10 +00:00
The key size of the salt which is generated when hashing user passwords.
- Default value: `24`
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_AUTH_SALT_KEY_SIZE`
2017-01-31 01:51:10 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
auth:
salt_key_size: 36
```
2017-01-31 01:51:10 +00:00
2022-03-31 15:34:58 +00:00
##### Example YAML
```yaml
2022-09-08 21:57:38 +00:00
auth:
bcrypt_cost: 14
salt_key_size: 36
2022-03-31 15:34:58 +00:00
```
2021-10-07 14:40:22 +00:00
#### App
2017-01-31 01:51:10 +00:00
2021-10-07 14:40:22 +00:00
##### app_token_key_size
2017-01-31 01:51:10 +00:00
2017-01-31 05:13:08 +00:00
Size of generated app tokens.
2017-01-31 01:51:10 +00:00
- Default value: `24`
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_APP_TOKEN_KEY_SIZE`
2017-01-31 01:51:10 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
app:
token_key_size: 36
```
2017-01-31 01:51:10 +00:00
2021-10-07 14:40:22 +00:00
##### app_invite_token_validity_period
2017-01-31 01:51:10 +00:00
How long invite tokens should be valid for.
- Default value: `5 days`
2021-05-21 15:41:13 +00:00
- Environment variable: `FLEET_APP_INVITE_TOKEN_VALIDITY_PERIOD`
2017-01-31 01:51:10 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
app:
invite_token_validity_period: 1d
```
2017-01-31 01:51:10 +00:00
2022-02-09 11:20:29 +00:00
##### app_enable_scheduled_query_stats
Determines whether Fleet gets scheduled query statistics from hosts or not.
- Default value: `true`
- Environment variable: `FLEET_APP_ENABLE_SCHEDULED_QUERY_STATS`
- Config file format:
```
app:
enable_scheduled_query_stats: true
```
2022-03-31 15:34:58 +00:00
##### Example YAML
```yaml
2022-09-08 21:57:38 +00:00
app:
token_key_size: 36
salt_key_size: 36
invite_token_validity_period: 1d
2022-03-31 15:34:58 +00:00
```
2021-10-07 14:40:22 +00:00
#### License
2021-06-21 22:57:50 +00:00
2021-10-07 14:40:22 +00:00
##### license_key
2021-06-21 22:57:50 +00:00
2021-08-19 17:50:21 +00:00
The license key provided to Fleet customers which provides access to Fleet Premium features.
2021-06-21 22:57:50 +00:00
- Default value: none
- Environment variable: `FLEET_LICENSE_KEY`
- Config file format:
```
license:
key: foobar
```
2022-06-13 20:29:32 +00:00
##### license_enforce_host_limit
2022-06-14 18:58:34 +00:00
Whether Fleet should enforce the host limit of the license, if true, attempting to enroll new hosts when the limit is reached will fail.
2022-06-13 20:29:32 +00:00
- Default value: `false`
- Environment variable: `FLEET_LICENSE_ENFORCE_HOST_LIMIT`
- Config file format:
```
license:
enforce_host_limit: true
```
2022-03-31 15:34:58 +00:00
##### Example YAML
```yaml
2022-09-08 21:57:38 +00:00
license:
key: foobar
enforce_host_limit: false
2022-03-31 15:34:58 +00:00
```
2021-10-07 14:40:22 +00:00
#### Session
2017-01-31 01:51:10 +00:00
2021-10-07 14:40:22 +00:00
##### session_key_size
2017-01-31 01:51:10 +00:00
The size of the session key.
- Default value: `64`
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_SESSION_KEY_SIZE`
2017-01-31 01:51:10 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
session:
key_size: 48
```
2017-01-31 01:51:10 +00:00
2021-10-07 14:40:22 +00:00
##### session_duration
2017-01-31 01:51:10 +00:00
2022-12-05 15:22:56 +00:00
This is the amount of time that a session should last. Whenever a user logs in, the time is reset to the specified, or default, duration.
2017-01-31 01:51:10 +00:00
2021-08-04 16:31:24 +00:00
Valid time units are `s` , `m` , `h` .
2022-03-25 00:24:08 +00:00
- Default value: `5d` (5 days)
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_SESSION_DURATION`
2017-01-31 01:51:10 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
session:
2021-12-14 04:42:30 +00:00
duration: 4h
2021-04-19 18:58:44 +00:00
```
2017-01-31 01:51:10 +00:00
2022-03-31 15:34:58 +00:00
##### Example YAML
```yaml
2022-09-08 21:57:38 +00:00
session:
duration: 4h
2022-03-31 15:34:58 +00:00
```
2021-10-07 14:40:22 +00:00
#### Osquery
2017-01-31 01:51:10 +00:00
2021-10-07 14:40:22 +00:00
##### osquery_node_key_size
2017-01-31 01:51:10 +00:00
The size of the node key which is negotiated with `osqueryd` clients.
- Default value: `24`
2021-04-19 18:58:44 +00:00
- Environment variable: `FLEET_OSQUERY_NODE_KEY_SIZE`
2017-01-31 01:51:10 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
osquery:
node_key_size: 36
```
2017-01-31 01:51:10 +00:00
2021-10-07 14:40:22 +00:00
##### osquery_host_identifier
2021-03-09 02:35:17 +00:00
The identifier to use when determining uniqueness of hosts.
2021-03-25 00:32:25 +00:00
Options are `provided` (default), `uuid` , `hostname` , or `instance` .
2021-03-09 02:35:17 +00:00
2023-02-13 15:45:37 +00:00
This setting works in combination with the `--host_identifier` flag in osquery. In most deployments, using `uuid` will be the best option. The flag defaults to `provided` -- preserving the existing behavior of Fleet's handling of host identifiers -- using the identifier provided by osquery. `instance` , `uuid` , and `hostname` correspond to the same meanings as osquery's `--host_identifier` flag.
2021-03-09 05:26:09 +00:00
Users that have duplicate UUIDs in their environment can benefit from setting this flag to `instance` .
2021-03-09 02:35:17 +00:00
2023-03-09 15:53:40 +00:00
> If you are enrolling your hosts using Fleet generated packages, it is reccommended to use `uuid` as your indentifier. This prevents potential issues with duplicate host enrollments.
2023-02-16 17:03:48 +00:00
2021-03-09 02:35:17 +00:00
- Default value: `provided`
2021-04-19 18:58:44 +00:00
- Environment variable: `FLEET_OSQUERY_HOST_IDENTIFIER`
2021-03-09 02:35:17 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
osquery:
host_identifier: uuid
```
2019-04-08 18:47:15 +00:00
2021-10-07 14:40:22 +00:00
##### osquery_enroll_cooldown
2021-03-09 05:26:09 +00:00
The cooldown period for host enrollment. If a host (uniquely identified by the `osquery_host_identifier` option) tries to enroll within this duration from the last enrollment, enroll will fail.
This flag can be used to control load on the database in scenarios in which many hosts are using the same identifier. Often configuring `osquery_host_identifier` to `instance` may be a better solution.
- Default value: `0` (off)
2021-05-21 15:41:13 +00:00
- Environment variable: `FLEET_OSQUERY_ENROLL_COOLDOWN`
2021-03-09 05:26:09 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
osquery:
enroll_cooldown: 1m
```
2021-03-09 05:26:09 +00:00
2021-10-07 14:40:22 +00:00
##### osquery_label_update_interval
2019-04-08 18:47:15 +00:00
The interval at which Fleet will ask osquery agents to update their results for label queries.
2020-03-02 19:08:08 +00:00
Setting this to a higher value can reduce baseline load on the Fleet server in larger deployments.
2023-01-24 22:27:10 +00:00
> Setting this to a lower value can increase baseline load significantly and cause performance issues or even outages. Proceed with caution.
2023-01-24 22:21:09 +00:00
2021-08-04 16:31:24 +00:00
Valid time units are `s` , `m` , `h` .
2019-04-08 18:47:15 +00:00
- Default value: `1h`
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_OSQUERY_LABEL_UPDATE_INTERVAL`
2019-04-08 18:47:15 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
osquery:
2023-01-24 22:21:09 +00:00
label_update_interval: 90m
2021-04-19 18:58:44 +00:00
```
2021-10-18 13:32:17 +00:00
2021-10-07 14:40:22 +00:00
##### osquery_policy_update_interval
2021-09-27 19:27:38 +00:00
The interval at which Fleet will ask osquery agents to update their results for policy queries.
Setting this to a higher value can reduce baseline load on the Fleet server in larger deployments.
2023-01-24 22:27:10 +00:00
> Setting this to a lower value can increase baseline load significantly and cause performance issues or even outages. Proceed with caution.
2023-01-24 22:21:09 +00:00
2021-09-27 19:27:38 +00:00
Valid time units are `s` , `m` , `h` .
- Default value: `1h`
- Environment variable: `FLEET_OSQUERY_POLICY_UPDATE_INTERVAL`
- Config file format:
```
osquery:
2023-01-24 22:21:09 +00:00
policy_update_interval: 90m
2021-09-27 19:27:38 +00:00
```
2020-03-02 19:08:08 +00:00
2021-10-07 14:40:22 +00:00
##### osquery_detail_update_interval
2020-03-02 19:08:08 +00:00
The interval at which Fleet will ask osquery agents to update host details (such as uptime, hostname, network interfaces, etc.)
Setting this to a higher value can reduce baseline load on the Fleet server in larger deployments.
2023-01-24 22:27:10 +00:00
> Setting this to a lower value can increase baseline load significantly and cause performance issues or even outages. Proceed with caution.
2023-01-24 22:21:09 +00:00
2021-08-04 16:31:24 +00:00
Valid time units are `s` , `m` , `h` .
2020-03-02 19:08:08 +00:00
- Default value: `1h`
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_OSQUERY_DETAIL_UPDATE_INTERVAL`
2020-03-02 19:08:08 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
osquery:
2023-01-24 22:21:09 +00:00
detail_update_interval: 90m
2021-04-19 18:58:44 +00:00
```
2019-04-08 18:47:15 +00:00
2021-10-07 14:40:22 +00:00
##### osquery_status_log_plugin
2019-04-08 18:47:15 +00:00
2022-10-26 23:26:49 +00:00
This is the log output plugin that should be used for osquery status logs received from clients. Check out the [reference documentation for log destinations ](https://fleetdm.com/docs/using-fleet/log-destinations ).
2021-12-18 00:06:41 +00:00
2019-04-08 18:47:15 +00:00
2021-10-28 04:51:17 +00:00
Options are `filesystem` , `firehose` , `kinesis` , `lambda` , `pubsub` , `kafkarest` , and `stdout` .
2019-04-08 18:47:15 +00:00
- Default value: `filesystem`
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_OSQUERY_STATUS_LOG_PLUGIN`
2019-04-08 18:47:15 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
osquery:
status_log_plugin: firehose
```
2019-04-08 18:47:15 +00:00
2021-10-07 14:40:22 +00:00
##### osquery_result_log_plugin
2019-04-08 18:47:15 +00:00
2022-10-26 23:26:49 +00:00
This is the log output plugin that should be used for osquery result logs received from clients. Check out the [reference documentation for log destinations ](https://fleetdm.com/docs/using-fleet/log-destinations ).
2019-04-08 18:47:15 +00:00
2021-10-28 04:51:17 +00:00
Options are `filesystem` , `firehose` , `kinesis` , `lambda` , `pubsub` , `kafkarest` , and `stdout` .
2019-04-08 18:47:15 +00:00
- Default value: `filesystem`
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_OSQUERY_RESULT_LOG_PLUGIN`
2019-04-08 18:47:15 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
osquery:
result_log_plugin: firehose
```
2019-04-08 18:47:15 +00:00
2021-10-07 14:40:22 +00:00
##### osquery_max_jitter_percent
2021-09-21 17:21:44 +00:00
Given an update interval (label, or details), this will add up to the defined percentage in randomness to the interval.
The goal of this is to prevent all hosts from checking in with data at the same time.
So for example, if the label_update_interval is 1h, and this is set to 10. It'll add up a random number between 0 and 6 minutes
2022-03-31 15:34:58 +00:00
to the amount of time it takes for Fleet to give the host the label queries.
2021-09-21 17:21:44 +00:00
- Default value: `10`
- Environment variable: `FLEET_OSQUERY_MAX_JITTER_PERCENT`
- Config file format:
```
osquery:
max_jitter_percent: 10
```
2021-11-01 18:13:16 +00:00
##### osquery_enable_async_host_processing
2023-02-13 15:45:37 +00:00
**Experimental feature**. Enable asynchronous processing of hosts' query results. Currently, asyncronous processing is only supported for label query execution, policy membership results, hosts' last seen timestamp, and hosts' scheduled query statistics. This may improve the performance and CPU usage of the Fleet instances and MySQL database servers for setups with a large number of hosts while requiring more resources from Redis server(s).
2022-01-18 14:56:43 +00:00
Note that currently, if both the failing policies webhook *and* this `osquery.enable_async_host_processing` option are set, some failing policies webhooks could be missing (some transitions from succeeding to failing or vice-versa could happen without triggering a webhook request).
2021-11-01 18:13:16 +00:00
2022-05-20 17:07:32 +00:00
It can be set to a single boolean value ("true" or "false"), which controls all async host processing tasks, or it can be set for specific async tasks using a syntax similar to an URL query string or parameters in a Data Source Name (DSN) string, e.g., "label_membership=true& policy_membership=true". When using the per-task syntax, omitted tasks get the default value. The supported async task names are:
2022-05-16 13:44:50 +00:00
* `label_membership` for updating the hosts' label query execution;
* `policy_membership` for updating the hosts' policy membership results;
* `host_last_seen` for updating the hosts' last seen timestamp.
2022-08-10 14:01:05 +00:00
* `scheduled_query_stats` for saving the hosts' scheduled query statistics.
2022-05-16 13:44:50 +00:00
2021-11-01 18:13:16 +00:00
- Default value: false
- Environment variable: `FLEET_OSQUERY_ENABLE_ASYNC_HOST_PROCESSING`
- Config file format:
```
osquery:
enable_async_host_processing: true
```
##### osquery_async_host_collect_interval
2022-03-31 15:34:58 +00:00
Applies only when `osquery_enable_async_host_processing` is enabled. Sets the interval at which the host data will be collected into the database. Each Fleet instance will attempt to do the collection at this interval (with some optional jitter added, see `osquery_async_host_collect_max_jitter_percent` ), with only one succeeding to get the exclusive lock.
2021-11-01 18:13:16 +00:00
2022-05-20 17:07:32 +00:00
It can be set to a single duration value (e.g., "30s"), which defines the interval for all async host processing tasks, or it can be set for specific async tasks using a syntax similar to an URL query string or parameters in a Data Source Name (DSN) string, e.g., "label_membership=10s& policy_membership=1m". When using the per-task syntax, omitted tasks get the default value. See [osquery_enable_async_host_processing ](#osquery_enable_async_host_processing ) for the supported async task names.
2022-05-16 13:44:50 +00:00
2021-11-01 18:13:16 +00:00
- Default value: 30s
- Environment variable: `FLEET_OSQUERY_ASYNC_HOST_COLLECT_INTERVAL`
- Config file format:
```
osquery:
async_host_collect_interval: 1m
```
##### osquery_async_host_collect_max_jitter_percent
Applies only when `osquery_enable_async_host_processing` is enabled. A number interpreted as a percentage of `osquery_async_host_collect_interval` to add to (or remove from) the interval so that not all hosts try to do the collection at the same time.
- Default value: 10
- Environment variable: `FLEET_OSQUERY_ASYNC_HOST_COLLECT_MAX_JITTER_PERCENT`
- Config file format:
```
osquery:
async_host_collect_max_jitter_percent: 5
```
##### osquery_async_host_collect_lock_timeout
2022-03-31 15:34:58 +00:00
Applies only when `osquery_enable_async_host_processing` is enabled. Timeout of the lock acquired by a Fleet instance to collect host data into the database. If the collection runs for too long or the instance crashes unexpectedly, the lock will be automatically released after this duration and another Fleet instance can proceed with the next collection.
2021-11-01 18:13:16 +00:00
2022-05-20 17:07:32 +00:00
It can be set to a single duration value (e.g., "1m"), which defines the lock timeout for all async host processing tasks, or it can be set for specific async tasks using a syntax similar to an URL query string or parameters in a Data Source Name (DSN) string, e.g., "label_membership=2m& policy_membership=5m". When using the per-task syntax, omitted tasks get the default value. See [osquery_enable_async_host_processing ](#osquery_enable_async_host_processing ) for the supported async task names.
2022-05-16 13:44:50 +00:00
2021-11-01 18:13:16 +00:00
- Default value: 1m
- Environment variable: `FLEET_OSQUERY_ASYNC_HOST_COLLECT_LOCK_TIMEOUT`
- Config file format:
```
osquery:
async_host_collect_lock_timeout: 5m
```
##### osquery_async_host_collect_log_stats_interval
Applies only when `osquery_enable_async_host_processing` is enabled. Interval at which the host collection statistics are logged, 0 to disable logging of statistics. Note that logging is done at the "debug" level.
- Default value: 1m
- Environment variable: `FLEET_OSQUERY_ASYNC_HOST_COLLECT_LOG_STATS_INTERVAL`
- Config file format:
```
osquery:
async_host_collect_log_stats_interval: 5m
```
##### osquery_async_host_insert_batch
Applies only when `osquery_enable_async_host_processing` is enabled. Size of the INSERT batch when collecting host data into the database.
- Default value: 2000
- Environment variable: `FLEET_OSQUERY_ASYNC_HOST_INSERT_BATCH`
- Config file format:
```
osquery:
async_host_insert_batch: 1000
```
##### osquery_async_host_delete_batch
Applies only when `osquery_enable_async_host_processing` is enabled. Size of the DELETE batch when collecting host data into the database.
- Default value: 2000
- Environment variable: `FLEET_OSQUERY_ASYNC_HOST_DELETE_BATCH`
- Config file format:
```
osquery:
async_host_delete_batch: 1000
```
##### osquery_async_host_update_batch
Applies only when `osquery_enable_async_host_processing` is enabled. Size of the UPDATE batch when collecting host data into the database.
- Default value: 1000
- Environment variable: `FLEET_OSQUERY_ASYNC_HOST_UPDATE_BATCH`
- Config file format:
```
osquery:
async_host_update_batch: 500
```
##### osquery_async_host_redis_pop_count
Applies only when `osquery_enable_async_host_processing` is enabled. Maximum number of items to pop from a redis key at a time when collecting host data into the database.
- Default value: 1000
- Environment variable: `FLEET_OSQUERY_ASYNC_HOST_REDIS_POP_COUNT`
- Config file format:
```
osquery:
async_host_redis_pop_count: 500
```
##### osquery_async_host_redis_scan_keys_count
2022-05-20 13:31:46 +00:00
Applies only when `osquery_enable_async_host_processing` is enabled. Order of magnitude (e.g., 10, 100, 1000, etc.) of set members to scan in a single ZSCAN/SSCAN request for items to process when collecting host data into the database.
2021-11-01 18:13:16 +00:00
- Default value: 1000
- Environment variable: `FLEET_OSQUERY_ASYNC_HOST_REDIS_SCAN_KEYS_COUNT`
- Config file format:
```
osquery:
async_host_redis_scan_keys_count: 100
```
2022-04-27 13:47:09 +00:00
##### osquery_min_software_last_opened_at_diff
2022-04-29 14:18:50 +00:00
The minimum time difference between the software's "last opened at" timestamp reported by osquery and the last timestamp saved for that software on that host helps minimize the number of updates required when a host reports its installed software information, resulting in less load on the database. If there is no existing timestamp for the software on that host (or if the software was not installed on that host previously), the new timestamp is automatically saved.
2022-04-27 13:47:09 +00:00
- Default value: 1h
- Environment variable: `FLEET_OSQUERY_MIN_SOFTWARE_LAST_OPENED_AT_DIFF`
- Config file format:
```
osquery:
min_software_last_opened_at_diff: 4h
```
2022-03-31 15:34:58 +00:00
##### Example YAML
```yaml
2022-09-08 21:57:38 +00:00
osquery:
host_identifier: uuid
policy_update_interval: 30m
duration: 4h
status_log_plugin: firehose
result_log_plugin: firehose
2022-03-31 15:34:58 +00:00
```
2023-02-21 17:09:06 +00:00
#### External Activity Audit Logging
2022-03-31 15:34:58 +00:00
2023-02-21 17:09:06 +00:00
> Applies only to Fleet Premium. Acitivity information is available for all Fleet instances using the [Activities API](https://fleetdm.com/docs/using-fleet/rest-api#activities).
2023-02-21 17:56:24 +00:00
Stream Fleet user activities to logs using Fleet's logging plugins. The audit events are logged in an asynchronous fashion. It can take up to 5 minutes for an event to be logged.
2023-02-21 17:09:06 +00:00
##### activity_enable_audit_log
2022-12-23 22:04:13 +00:00
This enables/disables the log output for audit events.
See the `activity_audit_log_plugin` option below that specifies the logging destination.
- Default value: `false`
- Environment variable: `FLEET_ACTIVITY_ENABLE_AUDIT_LOG`
- Config file format:
```yaml
activity:
enable_audit_log: true
```
2023-02-21 17:09:06 +00:00
##### activity_audit_log_plugin
2022-12-23 22:04:13 +00:00
This is the log output plugin that should be used for audit logs.
2023-03-09 15:53:40 +00:00
This flag only has effect if `activity_enable_audit_log` is set to `true` .
2022-12-23 22:04:13 +00:00
2023-02-21 17:09:06 +00:00
Each plugin has additional configuration options. Please see the configuration section linked below for your logging plugin.
Options are [`filesystem` ](#filesystem ), [`firehose` ](#firehose ), [`kinesis` ](#kinesis ), [`lambda` ](#lambda ), [`pubsub` ](#pubsub ), [`kafkarest` ](#kafka-rest-proxy-logging ), and `stdout` (no additional configuration needed).
2022-12-23 22:04:13 +00:00
- Default value: `filesystem`
- Environment variable: `FLEET_ACTIVITY_AUDIT_LOG_PLUGIN`
- Config file format:
```yaml
activity:
audit_log_plugin: firehose
```
2021-10-07 14:40:22 +00:00
#### Logging (Fleet server logging)
2017-01-31 01:51:10 +00:00
2021-10-07 14:40:22 +00:00
##### logging_debug
2017-01-31 01:51:10 +00:00
Whether or not to enable debug logging.
- Default value: `false`
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_LOGGING_DEBUG`
2017-01-31 01:51:10 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
logging:
debug: true
```
2017-01-31 01:51:10 +00:00
2021-10-07 14:40:22 +00:00
##### logging_json
2017-01-31 01:51:10 +00:00
Whether or not to log in JSON.
- Default value: `false`
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_LOGGING_JSON`
2017-01-31 01:51:10 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
logging:
json: true
```
2017-01-31 01:51:10 +00:00
2021-10-07 14:40:22 +00:00
##### logging_disable_banner
2017-01-31 01:51:10 +00:00
Whether or not to log the welcome banner.
- Default value: `false`
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_LOGGING_DISABLE_BANNER`
2017-01-31 01:51:10 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
logging:
disable_banner: true
```
2019-04-08 18:47:15 +00:00
2021-11-02 17:35:57 +00:00
##### logging_error_retention_period
The amount of time to keep an error. Unique instances of errors are stored temporarily to help
2021-12-14 21:30:26 +00:00
with troubleshooting, this setting controls that duration. Set to 0 to keep them without expiration,
and a negative value to disable storage of errors in Redis.
2021-11-02 17:35:57 +00:00
- Default value: 24h
- Environment variable: `FLEET_LOGGING_ERROR_RETENTION_PERIOD`
- Config file format:
```
logging:
error_retention_period: 1h
```
2022-03-31 15:34:58 +00:00
##### Example YAML
```yaml
2022-09-08 21:57:38 +00:00
logging:
disable_banner: true
policy_update_interval: 30m
error_retention_period: 1h
2022-03-31 15:34:58 +00:00
```
2021-10-07 14:40:22 +00:00
#### Filesystem
2019-04-08 18:47:15 +00:00
2021-10-07 14:40:22 +00:00
##### filesystem_status_log_file
2019-04-08 18:47:15 +00:00
This flag only has effect if `osquery_status_log_plugin` is set to `filesystem` (the default value).
The path which osquery status logs will be logged to.
- Default value: `/tmp/osquery_status`
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_FILESYSTEM_STATUS_LOG_FILE`
2019-04-08 18:47:15 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
filesystem:
status_log_file: /var/log/osquery/status.log
```
2019-04-08 18:47:15 +00:00
2021-10-07 14:40:22 +00:00
##### filesystem_result_log_file
2019-04-08 18:47:15 +00:00
This flag only has effect if `osquery_result_log_plugin` is set to `filesystem` (the default value).
The path which osquery result logs will be logged to.
- Default value: `/tmp/osquery_result`
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_FILESYSTEM_RESULT_LOG_FILE`
2019-04-08 18:47:15 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
filesystem:
result_log_file: /var/log/osquery/result.log
```
2019-04-08 18:47:15 +00:00
2022-12-23 22:04:13 +00:00
##### filesystem_audit_log_file
This flag only has effect if `activity_audit_log_plugin` is set to `filesystem` (the default value) and if `activity_enable_audit_log` is set to `true` .
The path which audit logs will be logged to.
- Default value: `/tmp/audit`
- Environment variable: `FLEET_FILESYSTEM_AUDIT_LOG_FILE`
- Config file format:
```yaml
filesystem:
audit_log_file: /var/log/fleet/audit.log
```
2021-10-07 14:40:22 +00:00
##### filesystem_enable_log_rotation
2019-04-08 18:47:15 +00:00
2022-12-23 22:04:13 +00:00
This flag only has effect if one of the following is true:
- `osquery_result_log_plugin` or `osquery_status_log_plugin` are set to `filesystem` (the default value).
- `activity_audit_log_plugin` is set to `filesystem` and `activity_enable_audit_log` is set to `true` .
2019-04-08 18:47:15 +00:00
This flag will cause the osquery result and status log files to be automatically
rotated when files reach a size of 500 Mb or an age of 28 days.
- Default value: `false`
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_FILESYSTEM_ENABLE_LOG_ROTATION`
2019-04-08 18:47:15 +00:00
- Config file format:
```
filesystem:
enable_log_rotation: true
```
2021-10-07 14:40:22 +00:00
##### filesystem_enable_log_compression
2020-09-09 20:33:32 +00:00
This flag only has effect if `filesystem_enable_log_rotation` is set to `true` .
This flag will cause the rotated logs to be compressed with gzip.
- Default value: `false`
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_FILESYSTEM_ENABLE_LOG_COMPRESSION`
2020-09-09 20:33:32 +00:00
- Config file format:
```
filesystem:
enable_log_compression: true
```
2023-02-24 12:44:56 +00:00
##### filesystem_max_size
This flag only has effect if `filesystem_enable_log_rotation` is set to `true` .
Sets the maximum size in megabytes of log files before it gets rotated.
- Default value: `500`
- Environment variable: `FLEET_FILESYSTEM_MAX_SIZE`
- Config file format:
```
filesystem:
max_size: 100
```
##### filesystem_max_age
This flag only has effect if `filesystem_enable_log_rotation` is set to `true` .
Sets the maximum age in days to retain old log files before deletion. Setting this
to zero will retain all logs.
- Default value: `28`
- Environment variable: `FLEET_FILESYSTEM_MAX_AGE`
- Config file format:
```
filesystem:
max_age: 0
```
##### filesystem_max_backups
This flag only has effect if `filesystem_enable_log_rotation` is set to `true` .
Sets the maximum number of old files to retain before deletion. Setting this
to zero will retain all logs. _Note_ max_age may still cause them to be deleted.
- Default value: `3`
- Environment variable: `FLEET_FILESYSTEM_MAX_BACKUPS`
- Config file format:
```
filesystem:
max_backups: 0
```
2022-03-31 15:34:58 +00:00
##### Example YAML
```yaml
2022-09-08 21:57:38 +00:00
osquery:
osquery_status_log_plugin: filesystem
osquery_result_log_plugin: filesystem
filesystem:
status_log_file: /var/log/osquery/status.log
result_log_file: /var/log/osquery/result.log
enable_log_rotation: true
2022-03-31 15:34:58 +00:00
```
2021-10-07 14:40:22 +00:00
#### Firehose
2019-04-08 18:47:15 +00:00
2021-10-07 14:40:22 +00:00
##### firehose_region
2019-04-08 18:47:15 +00:00
2022-12-23 22:04:13 +00:00
This flag only has effect if one of the following is true:
- `osquery_result_log_plugin` or `osquery_status_log_plugin` are set to `firehose` .
- `activity_audit_log_plugin` is set to `firehose` and `activity_enable_audit_log` is set to `true` .
2019-04-08 18:47:15 +00:00
2022-12-23 22:04:13 +00:00
AWS region to use for Firehose connection.
2019-04-08 18:47:15 +00:00
- Default value: none
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_FIREHOSE_REGION`
2019-04-08 18:47:15 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
firehose:
region: ca-central-1
```
2019-04-08 18:47:15 +00:00
2021-10-07 14:40:22 +00:00
##### firehose_access_key_id
2019-04-08 18:47:15 +00:00
2022-12-23 22:04:13 +00:00
This flag only has effect if one of the following is true:
- `osquery_result_log_plugin` or `osquery_status_log_plugin` are set to `firehose` .
- `activity_audit_log_plugin` is set to `firehose` and `activity_enable_audit_log` is set to `true` .
2020-05-12 20:30:14 +00:00
If `firehose_access_key_id` and `firehose_secret_access_key` are omitted, Fleet will try to use [AWS STS ](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html ) credentials.
2019-04-08 18:47:15 +00:00
AWS access key ID to use for Firehose authentication.
- Default value: none
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_FIREHOSE_ACCESS_KEY_ID`
2019-04-08 18:47:15 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
firehose:
access_key_id: AKIAIOSFODNN7EXAMPLE
```
2019-04-08 18:47:15 +00:00
2021-10-07 14:40:22 +00:00
##### firehose_secret_access_key
2019-04-08 18:47:15 +00:00
2022-12-23 22:04:13 +00:00
This flag only has effect if one of the following is true:
- `osquery_result_log_plugin` or `osquery_status_log_plugin` are set to `firehose` .
- `activity_audit_log_plugin` is set to `firehose` and `activity_enable_audit_log` is set to `true` .
2019-04-08 18:47:15 +00:00
AWS secret access key to use for Firehose authentication.
- Default value: none
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_FIREHOSE_SECRET_ACCESS_KEY`
2019-04-08 18:47:15 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
firehose:
secret_access_key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
```
2019-04-08 18:47:15 +00:00
2021-10-07 14:40:22 +00:00
##### firehose_sts_assume_role_arn
2020-08-19 21:56:44 +00:00
2022-12-23 22:04:13 +00:00
This flag only has effect if one of the following is true:
- `osquery_result_log_plugin` or `osquery_status_log_plugin` are set to `firehose` .
- `activity_audit_log_plugin` is set to `firehose` and `activity_enable_audit_log` is set to `true` .
2020-08-19 21:56:44 +00:00
AWS STS role ARN to use for Firehose authentication.
- Default value: none
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_FIREHOSE_STS_ASSUME_ROLE_ARN`
2020-08-19 21:56:44 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
firehose:
sts_assume_role_arn: arn:aws:iam::1234567890:role/firehose-role
```
2019-04-08 18:47:15 +00:00
2021-10-07 14:40:22 +00:00
##### firehose_status_stream
2019-04-08 18:47:15 +00:00
This flag only has effect if `osquery_status_log_plugin` is set to `firehose` .
Name of the Firehose stream to write osquery status logs received from clients.
- Default value: none
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_FIREHOSE_STATUS_STREAM`
2019-04-08 18:47:15 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
firehose:
status_stream: osquery_status
```
2019-04-08 18:47:15 +00:00
2020-08-19 21:56:44 +00:00
The IAM role used to send to Firehose must allow the following permissions on
the stream listed:
2021-04-19 18:58:44 +00:00
- `firehose:DescribeDeliveryStream`
- `firehose:PutRecordBatch`
2020-08-19 21:56:44 +00:00
2021-10-07 14:40:22 +00:00
##### firehose_result_stream
2019-04-08 18:47:15 +00:00
This flag only has effect if `osquery_result_log_plugin` is set to `firehose` .
Name of the Firehose stream to write osquery result logs received from clients.
- Default value: none
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_FIREHOSE_RESULT_STREAM`
2019-04-08 18:47:15 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
firehose:
result_stream: osquery_result
```
2019-07-16 22:41:50 +00:00
2020-08-19 21:56:44 +00:00
The IAM role used to send to Firehose must allow the following permissions on
the stream listed:
2021-04-19 18:58:44 +00:00
- `firehose:DescribeDeliveryStream`
- `firehose:PutRecordBatch`
2020-08-19 21:56:44 +00:00
2022-12-23 22:04:13 +00:00
##### firehose_audit_stream
This flag only has effect if `activity_audit_log_plugin` is set to `firehose` .
Name of the Firehose stream to audit logs.
- Default value: none
- Environment variable: `FLEET_FIREHOSE_AUDIT_STREAM`
- Config file format:
```yaml
firehose:
audit_stream: fleet_audit
```
The IAM role used to send to Firehose must allow the following permissions on
the stream listed:
- `firehose:DescribeDeliveryStream`
- `firehose:PutRecordBatch`
2022-03-31 15:34:58 +00:00
##### Example YAML
```yaml
2022-09-08 21:57:38 +00:00
osquery:
osquery_status_log_plugin: firehose
osquery_result_log_plugin: firehose
firehose:
region: ca-central-1
access_key_id: AKIAIOSFODNN7EXAMPLE
secret_access_key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
sts_assume_role_arn: arn:aws:iam::1234567890:role/firehose-role
status_stream: osquery_status
result_stream: osquery_result
2022-03-31 15:34:58 +00:00
```
2021-10-07 14:40:22 +00:00
#### Kinesis
2020-08-19 21:56:44 +00:00
2021-10-07 14:40:22 +00:00
##### kinesis_region
2020-08-19 21:56:44 +00:00
2022-12-23 22:04:13 +00:00
This flag only has effect if one of the following is true:
- `osquery_result_log_plugin` or `osquery_status_log_plugin` are set to `kinesis` .
- `activity_audit_log_plugin` is set to `kinesis` and `activity_enable_audit_log` is set to `true` .
2020-08-19 21:56:44 +00:00
AWS region to use for Kinesis connection
- Default value: none
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_KINESIS_REGION`
2020-08-19 21:56:44 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
kinesis:
region: ca-central-1
```
2020-08-19 21:56:44 +00:00
2021-10-07 14:40:22 +00:00
##### kinesis_access_key_id
2020-08-19 21:56:44 +00:00
2022-12-23 22:04:13 +00:00
This flag only has effect if one of the following is true:
- `osquery_result_log_plugin` or `osquery_status_log_plugin` are set to `kinesis` .
- `activity_audit_log_plugin` is set to `kinesis` and `activity_enable_audit_log` is set to `true` .
2020-08-19 21:56:44 +00:00
If `kinesis_access_key_id` and `kinesis_secret_access_key` are omitted, Fleet
will try to use
[AWS STS ](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html )
credentials.
AWS access key ID to use for Kinesis authentication.
- Default value: none
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_KINESIS_ACCESS_KEY_ID`
2020-08-19 21:56:44 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
kinesis:
access_key_id: AKIAIOSFODNN7EXAMPLE
```
2020-08-19 21:56:44 +00:00
2021-10-07 14:40:22 +00:00
##### kinesis_secret_access_key
2020-08-19 21:56:44 +00:00
2022-12-23 22:04:13 +00:00
This flag only has effect if one of the following is true:
- `osquery_result_log_plugin` or `osquery_status_log_plugin` are set to `kinesis` .
- `activity_audit_log_plugin` is set to `kinesis` and `activity_enable_audit_log` is set to `true` .
2020-08-19 21:56:44 +00:00
AWS secret access key to use for Kinesis authentication.
- Default value: none
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_KINESIS_SECRET_ACCESS_KEY`
2020-08-19 21:56:44 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
kinesis:
secret_access_key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
```
2020-08-19 21:56:44 +00:00
2021-10-07 14:40:22 +00:00
##### kinesis_sts_assume_role_arn
2020-08-19 21:56:44 +00:00
2022-12-23 22:04:13 +00:00
This flag only has effect if one of the following is true:
- `osquery_result_log_plugin` or `osquery_status_log_plugin` are set to `kinesis` .
- `activity_audit_log_plugin` is set to `kinesis` and `activity_enable_audit_log` is set to `true` .
2020-08-19 21:56:44 +00:00
AWS STS role ARN to use for Kinesis authentication.
- Default value: none
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_KINESIS_STS_ASSUME_ROLE_ARN`
2020-08-19 21:56:44 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
kinesis:
sts_assume_role_arn: arn:aws:iam::1234567890:role/kinesis-role
```
2020-08-19 21:56:44 +00:00
2021-10-07 14:40:22 +00:00
##### kinesis_status_stream
2020-08-19 21:56:44 +00:00
This flag only has effect if `osquery_status_log_plugin` is set to `kinesis` .
Name of the Kinesis stream to write osquery status logs received from clients.
- Default value: none
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_KINESIS_STATUS_STREAM`
2020-08-19 21:56:44 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
kinesis:
status_stream: osquery_status
```
2020-08-19 21:56:44 +00:00
The IAM role used to send to Kinesis must allow the following permissions on
the stream listed:
2021-04-19 18:58:44 +00:00
- `kinesis:DescribeStream`
- `kinesis:PutRecords`
2020-08-19 21:56:44 +00:00
2021-10-07 14:40:22 +00:00
##### kinesis_result_stream
2020-08-19 21:56:44 +00:00
This flag only has effect if `osquery_result_log_plugin` is set to `kinesis` .
Name of the Kinesis stream to write osquery result logs received from clients.
- Default value: none
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_KINESIS_RESULT_STREAM`
2020-08-19 21:56:44 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
kinesis:
result_stream: osquery_result
```
2020-08-19 21:56:44 +00:00
The IAM role used to send to Kinesis must allow the following permissions on
the stream listed:
2021-04-19 18:58:44 +00:00
- `kinesis:DescribeStream`
- `kinesis:PutRecords`
2020-08-19 21:56:44 +00:00
2022-12-23 22:04:13 +00:00
##### kinesis_audit_stream
This flag only has effect if `activity_audit_log_plugin` is set to `kinesis` .
Name of the Kinesis stream to write audit logs.
- Default value: none
- Environment variable: `FLEET_KINESIS_AUDIT_STREAM`
- Config file format:
```yaml
kinesis:
audit_stream: fleet_audit
```
The IAM role used to send to Kinesis must allow the following permissions on
the stream listed:
- `kinesis:DescribeStream`
- `kinesis:PutRecords`
2022-03-31 15:34:58 +00:00
##### Example YAML
```yaml
2022-09-08 21:57:38 +00:00
osquery:
osquery_status_log_plugin: kinesis
osquery_result_log_plugin: kinesis
kinesis:
region: ca-central-1
access_key_id: AKIAIOSFODNN7EXAMPLE
secret_access_key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
sts_assume_role_arn: arn:aws:iam::1234567890:role/firehose-role
status_stream: osquery_status
result_stream: osquery_result
2022-03-31 15:34:58 +00:00
```
2021-10-07 14:40:22 +00:00
#### Lambda
2021-02-24 18:02:26 +00:00
2021-10-07 14:40:22 +00:00
##### lambda_region
2021-02-24 18:02:26 +00:00
2022-12-23 22:04:13 +00:00
This flag only has effect if one of the following is true:
- `osquery_result_log_plugin` or `osquery_status_log_plugin` are set to `lambda` .
- `activity_audit_log_plugin` is set to `lambda` and `activity_enable_audit_log` is set to `true` .
2021-02-24 18:02:26 +00:00
2022-12-23 22:04:13 +00:00
AWS region to use for Lambda connection.
2021-02-24 18:02:26 +00:00
- Default value: none
- Environment variable: `FLEET_LAMBDA_REGION`
- Config file format:
2021-04-19 18:58:44 +00:00
```
lambda:
region: ca-central-1
```
2021-02-24 18:02:26 +00:00
2021-10-07 14:40:22 +00:00
##### lambda_access_key_id
2021-02-24 18:02:26 +00:00
2022-12-23 22:04:13 +00:00
This flag only has effect if one of the following is true:
- `osquery_result_log_plugin` or `osquery_status_log_plugin` are set to `lambda` .
- `activity_audit_log_plugin` is set to `lambda` and `activity_enable_audit_log` is set to `true` .
2021-02-24 18:02:26 +00:00
If `lambda_access_key_id` and `lambda_secret_access_key` are omitted, Fleet
will try to use
[AWS STS ](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html )
credentials.
AWS access key ID to use for Lambda authentication.
- Default value: none
- Environment variable: `FLEET_LAMBDA_ACCESS_KEY_ID`
- Config file format:
2021-04-19 18:58:44 +00:00
```
lambda:
access_key_id: AKIAIOSFODNN7EXAMPLE
```
2021-02-24 18:02:26 +00:00
2021-10-07 14:40:22 +00:00
##### lambda_secret_access_key
2021-02-24 18:02:26 +00:00
2022-12-23 22:04:13 +00:00
This flag only has effect if one of the following is true:
- `osquery_result_log_plugin` or `osquery_status_log_plugin` are set to `lambda` .
- `activity_audit_log_plugin` is set to `lambda` and `activity_enable_audit_log` is set to `true` .
2021-02-24 18:02:26 +00:00
AWS secret access key to use for Lambda authentication.
- Default value: none
- Environment variable: `FLEET_LAMBDA_SECRET_ACCESS_KEY`
- Config file format:
2021-04-19 18:58:44 +00:00
```
lambda:
secret_access_key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
```
2021-02-24 18:02:26 +00:00
2021-10-07 14:40:22 +00:00
##### lambda_sts_assume_role_arn
2021-02-24 18:02:26 +00:00
2022-12-23 22:04:13 +00:00
This flag only has effect if one of the following is true:
- `osquery_result_log_plugin` or `osquery_status_log_plugin` are set to `lambda` .
- `activity_audit_log_plugin` is set to `lambda` and `activity_enable_audit_log` is set to `true` .
2021-02-24 18:02:26 +00:00
AWS STS role ARN to use for Lambda authentication.
- Default value: none
- Environment variable: `FLEET_LAMBDA_STS_ASSUME_ROLE_ARN`
- Config file format:
2021-04-19 18:58:44 +00:00
```
lambda:
sts_assume_role_arn: arn:aws:iam::1234567890:role/lambda-role
```
2021-02-24 18:02:26 +00:00
2021-10-07 14:40:22 +00:00
##### lambda_status_function
2021-02-24 18:02:26 +00:00
This flag only has effect if `osquery_status_log_plugin` is set to `lambda` .
Name of the Lambda function to write osquery status logs received from clients.
- Default value: none
- Environment variable: `FLEET_LAMBDA_STATUS_FUNCTION`
- Config file format:
2021-04-19 18:58:44 +00:00
```
lambda:
2022-09-08 21:57:38 +00:00
status_function: statusFunction
2021-04-19 18:58:44 +00:00
```
2021-02-24 18:02:26 +00:00
The IAM role used to send to Lambda must allow the following permissions on
the function listed:
2021-04-19 18:58:44 +00:00
- `lambda:InvokeFunction`
2021-02-24 18:02:26 +00:00
2021-10-07 14:40:22 +00:00
##### lambda_result_function
2021-02-24 18:02:26 +00:00
This flag only has effect if `osquery_result_log_plugin` is set to `lambda` .
Name of the Lambda function to write osquery result logs received from clients.
- Default value: none
- Environment variable: `FLEET_LAMBDA_RESULT_FUNCTION`
- Config file format:
2021-04-19 18:58:44 +00:00
```
lambda:
result_function: resultFunction
```
2021-02-24 18:02:26 +00:00
The IAM role used to send to Lambda must allow the following permissions on
the function listed:
2021-04-19 18:58:44 +00:00
- `lambda:InvokeFunction`
2021-02-24 18:02:26 +00:00
2022-12-23 22:04:13 +00:00
##### lambda_audit_function
This flag only has effect if `activity_audit_log_plugin` is set to `lambda` .
Name of the Lambda function to write audit logs.
- Default value: none
- Environment variable: `FLEET_LAMBDA_AUDIT_FUNCTION`
- Config file format:
```yaml
lambda:
audit_function: auditFunction
```
The IAM role used to send to Lambda must allow the following permissions on
the function listed:
- `lambda:InvokeFunction`
2022-03-31 15:34:58 +00:00
##### Example YAML
```yaml
2022-09-08 21:57:38 +00:00
osquery:
osquery_status_log_plugin: lambda
osquery_result_log_plugin: lambda
lambda:
region: ca-central-1
access_key_id: AKIAIOSFODNN7EXAMPLE
secret_access_key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
sts_assume_role_arn: arn:aws:iam::1234567890:role/firehose-role
status_function: statusFunction
result_function: resultFunction
2022-03-31 15:34:58 +00:00
```
2021-10-07 14:40:22 +00:00
#### PubSub
2019-07-16 22:41:50 +00:00
2021-10-07 14:40:22 +00:00
##### pubsub_project
2019-07-16 22:41:50 +00:00
2022-12-23 22:04:13 +00:00
This flag only has effect if one of the following is true:
- `osquery_result_log_plugin` or `osquery_status_log_plugin` are set to `pubsub` .
- `activity_audit_log_plugin` is set to `pubsub` and `activity_enable_audit_log` is set to `true` .
2019-07-16 22:41:50 +00:00
The identifier of the Google Cloud project containing the pubsub topics to
publish logs to.
Note that the pubsub plugin uses [Application Default Credentials (ADCs) ](https://cloud.google.com/docs/authentication/production )
for authentication with the service.
- Default value: none
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_PUBSUB_PROJECT`
2019-07-16 22:41:50 +00:00
- Config file format:
```
pubsub:
project: my-gcp-project
```
2021-10-07 14:40:22 +00:00
##### pubsub_result_topic
2019-07-16 22:41:50 +00:00
2022-12-23 22:04:13 +00:00
This flag only has effect if `osquery_result_log_plugin` is set to `pubsub` .
2019-07-16 22:41:50 +00:00
The identifier of the pubsub topic that client results will be published to.
- Default value: none
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_PUBSUB_RESULT_TOPIC`
2019-07-16 22:41:50 +00:00
- Config file format:
```
pubsub:
result_topic: osquery_result
```
2021-10-07 14:40:22 +00:00
##### pubsub_status_topic
2019-07-16 22:41:50 +00:00
This flag only has effect if `osquery_status_log_plugin` is set to `pubsub` .
The identifier of the pubsub topic that osquery status logs will be published to.
- Default value: none
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_PUBSUB_STATUS_TOPIC`
2019-07-16 22:41:50 +00:00
- Config file format:
```
pubsub:
status_topic: osquery_status
```
2020-12-16 17:16:55 +00:00
2022-12-23 22:04:13 +00:00
##### pubsub_audit_topic
This flag only has effect if `osquery_audit_log_plugin` is set to `pubsub` .
The identifier of the pubsub topic that client results will be published to.
- Default value: none
- Environment variable: `FLEET_PUBSUB_AUDIT_TOPIC`
- Config file format:
```yaml
pubsub:
audit_topic: fleet_audit
```
2021-10-07 14:40:22 +00:00
##### pubsub_add_attributes
2021-05-08 19:29:52 +00:00
This flag only has effect if `osquery_status_log_plugin` is set to `pubsub` .
2021-05-21 15:41:13 +00:00
Add Pub/Sub attributes to messages. When enabled, the plugin parses the osquery result
2021-05-08 19:29:52 +00:00
messages, and adds the following Pub/Sub message attributes:
- `name` - the `name` attribute from the message body
- `timestamp` - the `unixTime` attribute from the message body, converted to rfc3339 format
- Each decoration from the message
This feature is useful when combined with [subscription filters ](https://cloud.google.com/pubsub/docs/filtering ).
- Default value: false
- Environment variable: `FLEET_PUBSUB_ADD_ATTRIBUTES`
- Config file format:
```
pubsub:
2022-03-31 15:34:58 +00:00
add_attributes: true
2021-05-08 19:29:52 +00:00
```
2022-03-31 15:34:58 +00:00
##### Example YAML
```yaml
2022-09-08 21:57:38 +00:00
osquery:
osquery_status_log_plugin: pubsub
osquery_result_log_plugin: pubsub
pubsub:
project: my-gcp-project
result_topic: osquery_result
status_topic: osquery_status
sts_assume_role_arn: arn:aws:iam::1234567890:role/firehose-role
status_function: statusFunction
result_function: resultFunction
2022-03-31 15:34:58 +00:00
```
2022-02-09 23:49:11 +00:00
#### Kafka REST Proxy logging
2021-10-28 04:51:17 +00:00
##### kafkarest_proxyhost
2022-12-23 22:04:13 +00:00
This flag only has effect if one of the following is true:
- `osquery_result_log_plugin` or `osquery_status_log_plugin` are set to `kafkarest` .
- `activity_audit_log_plugin` is set to `kafkarest` and `activity_enable_audit_log` is set to `true` .
2021-10-28 04:51:17 +00:00
The URL of the host which to check for the topic existence and post messages to the specified topic.
- Default value: none
- Environment variable: `FLEET_KAFKAREST_PROXYHOST`
- Config file format:
2022-03-09 22:22:29 +00:00
```yaml
2021-10-28 04:51:17 +00:00
kafkarest:
proxyhost: "https://localhost:8443"
```
##### kafkarest_status_topic
This flag only has effect if `osquery_status_log_plugin` is set to `kafkarest` .
The identifier of the kafka topic that osquery status logs will be published to.
- Default value: none
- Environment variable: `FLEET_KAFKAREST_STATUS_TOPIC`
- Config file format:
2022-03-09 22:22:29 +00:00
```yaml
2021-10-28 04:51:17 +00:00
kafkarest:
status_topic: osquery_status
```
##### kafkarest_result_topic
This flag only has effect if `osquery_result_log_plugin` is set to `kafkarest` .
2021-12-20 14:06:53 +00:00
The identifier of the kafka topic that osquery result logs will be published to.
2021-10-28 04:51:17 +00:00
- Default value: none
- Environment variable: `FLEET_KAFKAREST_RESULT_TOPIC`
- Config file format:
2022-03-09 22:22:29 +00:00
```yaml
2021-10-28 04:51:17 +00:00
kafkarest:
2022-12-23 22:04:13 +00:00
result_topic: osquery_result
```
##### kafkarest_audit_topic
This flag only has effect if `osquery_audit_log_plugin` is set to `kafkarest` .
The identifier of the kafka topic that audit logs will be published to.
- Default value: none
- Environment variable: `FLEET_KAFKAREST_AUDIT_TOPIC`
- Config file format:
```yaml
kafkarest:
audit_topic: fleet_audit
2021-10-28 04:51:17 +00:00
```
##### kafkarest_timeout
2022-12-23 22:04:13 +00:00
This flag only has effect if one of the following is true:
- `osquery_result_log_plugin` or `osquery_status_log_plugin` are set to `kafkarest` .
- `activity_audit_log_plugin` is set to `kafkarest` and `activity_enable_audit_log` is set to `true` .
2021-10-28 04:51:17 +00:00
2021-12-08 02:36:01 +00:00
The timeout value for the http post attempt. Value is in units of seconds.
2021-10-28 04:51:17 +00:00
- Default value: 5
- Environment variable: `FLEET_KAFKAREST_TIMEOUT`
- Config file format:
2022-03-09 22:22:29 +00:00
```yaml
2021-10-28 04:51:17 +00:00
kafkarest:
timeout: 5
```
2022-03-09 22:22:29 +00:00
##### kafkarest_content_type_value
2022-12-23 22:04:13 +00:00
This flag only has effect if one of the following is true:
- `osquery_result_log_plugin` or `osquery_status_log_plugin` are set to `kafkarest` .
- `activity_audit_log_plugin` is set to `kafkarest` and `activity_enable_audit_log` is set to `true` .
2022-03-09 22:22:29 +00:00
The value of the Content-Type header to use in Kafka REST Proxy API calls. More information about available versions
can be found [here ](https://docs.confluent.io/platform/current/kafka-rest/api.html#content-types ). _Note: only JSON format is supported_
- Default value: application/vnd.kafka.json.v1+json
- Environment variable: `FLEET_KAFKAREST_CONTENT_TYPE_VALUE`
- Config file format:
```yaml
kafkarest:
content_type_value: application/vnd.kafka.json.v2+json
```
2022-03-31 15:34:58 +00:00
##### Example YAML
2022-03-09 22:22:29 +00:00
2022-03-31 15:34:58 +00:00
```yaml
2022-09-08 21:57:38 +00:00
osquery:
osquery_status_log_plugin: kafkarest
osquery_result_log_plugin: kafkarest
kafkarest:
proxyhost: "https://localhost:8443"
result_topic: osquery_result
status_topic: osquery_status
2022-03-31 15:34:58 +00:00
```
2022-12-05 15:22:56 +00:00
2023-04-06 18:21:07 +00:00
#### Email backend
By default, the SMTP backend is enabled and no additional configuration is required on the server settings. You can configure
SMTP through the [Fleet console UI ](https://fleetdm.com/docs/using-fleet/configuration-files#smtp-settings ). However, you can also
configure Fleet to use AWS SES natively rather than through SMTP.
##### backend
Enable SES support for Fleet. You must also configure the ses configurations such as `ses.source_arn`
````yaml
email:
backend: ses
````
#### SES
The following configurations only have an effect if SES email backend is enabled `FLEET_EMAIL_BACKEND=ses` .
##### ses_region
This flag only has effect if `email.backend` or `FLEET_EMAIL_BACKEND` is set to `ses` .
AWS region to use for SES connection.
- Default value: none
- Environment variable: `FLEET_SES_REGION`
- Config file format:
```yaml
ses:
region: us-east-2
```
##### ses_access_key_id
This flag only has effect if `email.backend` or `FLEET_EMAIL_BACKEND` is set to `ses` .
If `ses_access_key_id` and `ses_secret_access_key` are omitted, Fleet
will try to use
[AWS STS ](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html )
credentials.
AWS access key ID to use for Lambda authentication.
- Default value: none
- Environment variable: `FLEET_SES_ACCESS_KEY_ID`
- Config file format:
```
ses:
access_key_id: AKIAIOSFODNN7EXAMPLE
```
##### ses_secret_access_key
This flag only has effect if `email.backend` or `FLEET_EMAIL_BACKEND` is set to `ses` .
If `ses_access_key_id` and `ses_secret_access_key` are omitted, Fleet
will try to use
[AWS STS ](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html )
credentials.
AWS secret access key to use for SES authentication.
- Default value: none
- Environment variable: `FLEET_SES_SECRET_ACCESS_KEY`
- Config file format:
```yaml
ses:
secret_access_key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
```
##### ses_sts_assume_role_arn
This flag only has effect if `email.backend` or `FLEET_EMAIL_BACKEND` is set to `ses` .
AWS STS role ARN to use for SES authentication.
- Default value: none
- Environment variable: `FLEET_SES_STS_ASSUME_ROLE_ARN`
- Config file format:
```yaml
ses:
sts_assume_role_arn: arn:aws:iam::1234567890:role/ses-role
```
##### ses_source_arn
This flag only has effect if `email.backend` or `FLEET_EMAIL_BACKEND` is set to `ses` . This configuration **is
required** when using the SES email backend.
The ARN of the identity that is associated with the sending authorization policy that permits you to send
for the email address specified in the Source parameter of SendRawEmail.
- Default value: none
- Environment variable: `FLEET_SES_SOURCE_ARN`
- Config file format:
```yaml
ses:
sts_assume_role_arn: arn:aws:iam::1234567890:role/ses-role
```
2021-10-07 14:40:22 +00:00
#### S3 file carving backend
2020-12-16 17:16:55 +00:00
2021-10-07 14:40:22 +00:00
##### s3_bucket
2020-12-16 17:16:55 +00:00
Name of the S3 bucket to use to store file carves.
- Default value: none
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_S3_BUCKET`
2020-12-16 17:16:55 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
s3:
bucket: some-carve-bucket
```
2020-12-16 17:16:55 +00:00
2021-10-07 14:40:22 +00:00
##### s3_prefix
2020-12-16 17:16:55 +00:00
Prefix to prepend to carve objects.
All carve objects will also be prefixed by date and hour (UTC), making the resulting keys look like: `<prefix><year>/<month>/<day>/<hour>/<carve-name>` .
- Default value: none
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_S3_PREFIX`
2020-12-16 17:16:55 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
s3:
prefix: carves-go-here/
```
2020-12-16 17:16:55 +00:00
2021-10-07 14:40:22 +00:00
##### s3_access_key_id
2020-12-16 17:16:55 +00:00
AWS access key ID to use for S3 authentication.
If `s3_access_key_id` and `s3_secret_access_key` are omitted, Fleet will try to use
[the default credential provider chain ](https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials ).
The IAM identity used in this context must be allowed to perform the following actions on the bucket: `s3:PutObject` , `s3:GetObject` , `s3:ListMultipartUploadParts` , `s3:ListBucket` , `s3:GetBucketLocation` .
- Default value: none
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_S3_ACCESS_KEY_ID`
2020-12-16 17:16:55 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
s3:
access_key_id: AKIAIOSFODNN7EXAMPLE
```
2020-12-16 17:16:55 +00:00
2021-10-07 14:40:22 +00:00
##### s3_secret_access_key
2020-12-16 17:16:55 +00:00
AWS secret access key to use for S3 authentication.
- Default value: none
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_S3_SECRET_ACCESS_KEY`
2020-12-16 17:16:55 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
s3:
secret_access_key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
```
2020-12-16 17:16:55 +00:00
2021-10-07 14:40:22 +00:00
##### s3_sts_assume_role_arn
2020-12-16 17:16:55 +00:00
AWS STS role ARN to use for S3 authentication.
- Default value: none
2021-02-11 23:36:58 +00:00
- Environment variable: `FLEET_S3_STS_ASSUME_ROLE_ARN`
2020-12-16 17:16:55 +00:00
- Config file format:
2021-04-19 18:58:44 +00:00
```
s3:
sts_assume_role_arn: arn:aws:iam::1234567890:role/some-s3-role
```
2020-12-24 22:00:22 +00:00
2021-10-12 19:32:06 +00:00
##### s3_endpoint_url
2021-10-18 13:32:17 +00:00
AWS S3 Endpoint URL. Override when using a different S3 compatible object storage backend (such as Minio),
2021-10-12 19:32:06 +00:00
or running s3 locally with localstack. Leave this blank to use the default S3 service endpoint.
- Default value: none
- Environment variable: `FLEET_S3_ENDPOINT_URL`
- Config file format:
```
s3:
endpoint_url: http://localhost:9000
```
##### s3_disable_ssl
AWS S3 Disable SSL. Useful for local testing.
- Default value: false
- Environment variable: `FLEET_S3_DISABLE_SSL`
- Config file format:
```
s3:
disable_ssl: false
```
##### s3_force_s3_path_style
2021-12-08 02:36:01 +00:00
AWS S3 Force S3 Path Style. Set this to `true` to force the request to use path-style addressing,
2021-10-12 19:32:06 +00:00
i.e., `http://s3.amazonaws.com/BUCKET/KEY` . By default, the S3 client
will use virtual hosted bucket addressing when possible
2021-10-18 13:32:17 +00:00
(`http://BUCKET.s3.amazonaws.com/KEY`).
2021-10-12 19:32:06 +00:00
See [here ](http://docs.aws.amazon.com/AmazonS3/latest/dev/VirtualHosting.html ) for details.
- Default value: false
- Environment variable: `FLEET_S3_FORCE_S3_PATH_STYLE`
- Config file format:
```
s3:
force_s3_path_style: false
```
##### s3_region
AWS S3 Region. Leave blank to enable region discovery.
2021-12-09 17:59:23 +00:00
Minio users must set this to any nonempty value (eg. `minio` ), as Minio does not support region discovery.
2021-10-25 18:47:53 +00:00
- Default value:
2021-10-12 19:32:06 +00:00
- Environment variable: `FLEET_S3_REGION`
- Config file format:
```
s3:
region: us-east-1
```
2022-03-31 15:34:58 +00:00
##### Example YAML
```yaml
2022-09-08 21:57:38 +00:00
s3:
bucket: some-carve-bucket
prefix: carves-go-here/
access_key_id: AKIAIOSFODNN7EXAMPLE
secret_access_key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
sts_assume_role_arn: arn:aws:iam::1234567890:role/some-s3-role
region: us-east-1
2022-03-31 15:34:58 +00:00
```
2021-11-22 17:47:24 +00:00
#### Upgrades
2021-12-21 16:19:48 +00:00
##### allow_missing_migrations
2021-11-22 17:47:24 +00:00
If set then `fleet serve` will run even if there are database migrations missing.
- Default value: `false`
- Environment variable: `FLEET_UPGRADES_ALLOW_MISSING_MIGRATIONS`
- Config file format:
```
2022-09-08 21:57:38 +00:00
upgrades:
allow_missing_migrations: true
2021-11-22 17:47:24 +00:00
```
2021-10-07 14:40:22 +00:00
#### Vulnerabilities
2021-08-18 21:16:59 +00:00
2021-10-07 14:40:22 +00:00
##### databases_path
2021-08-18 21:16:59 +00:00
2022-03-31 15:34:58 +00:00
The path specified needs to exist and Fleet needs to be able to read and write to and from it. This is the only mandatory configuration needed for vulnerability processing to work.
2021-08-18 21:16:59 +00:00
2021-09-01 19:50:52 +00:00
When `current_instance_checks` is set to `auto` (the default), Fleet instances will try to create the `databases_path` if it doesn't exist.
2021-08-30 15:29:05 +00:00
2023-02-17 15:00:57 +00:00
- Default value: `/tmp/vulndbs`
2021-08-18 21:16:59 +00:00
- Environment variable: `FLEET_VULNERABILITIES_DATABASES_PATH`
- Config file format:
```
vulnerabilities:
databases_path: /some/path
```
2021-10-07 14:40:22 +00:00
##### periodicity
2021-08-18 21:16:59 +00:00
2022-01-26 14:47:56 +00:00
How often vulnerabilities are checked. This is also the interval at which the counts of hosts per software is calculated.
2021-08-18 21:16:59 +00:00
2021-09-27 19:28:02 +00:00
- Default value: `1h`
2021-08-18 21:16:59 +00:00
- Environment variable: `FLEET_VULNERABILITIES_PERIODICITY`
- Config file format:
```
vulnerabilities:
2021-09-27 19:28:02 +00:00
periodicity: 1h
2021-08-18 21:16:59 +00:00
```
2021-10-07 14:40:22 +00:00
##### cpe_database_url
2021-08-18 21:16:59 +00:00
2022-09-01 16:02:07 +00:00
You can fetch the CPE dictionary database from this URL. Some users want to control where Fleet gets its database.
When Fleet sees this value defined, it downloads the file directly.
It expects a file in the same format that can be found in https://github.com/fleetdm/nvd/releases.
If this value is not defined, Fleet checks for the latest release in Github and only downloads it if needed.
2021-08-18 21:16:59 +00:00
- Default value: `""`
- Environment variable: `FLEET_VULNERABILITIES_CPE_DATABASE_URL`
- Config file format:
```
vulnerabilities:
cpe_database_url: ""
```
2022-09-01 16:02:07 +00:00
##### cpe_translations_url
You can fetch the CPE translations from this URL.
Translations are used when matching software to CPE entries in the CPE database that would otherwise be missed for various reasons.
When Fleet sees this value defined, it downloads the file directly.
It expects a file in the same format that can be found in https://github.com/fleetdm/nvd/releases.
If this value is not defined, Fleet checks for the latest release in Github and only downloads it if needed.
- Default value: `""`
- Environment variable: `FLEET_VULNERABILITIES_CPE_TRANSLATIONS_URL`
- Config file format:
```
vulnerabilities:
cpe_translations_url: ""
```
2021-10-07 14:40:22 +00:00
##### cve_feed_prefix_url
2021-08-18 21:16:59 +00:00
2022-09-01 16:02:07 +00:00
Like the CPE dictionary, we allow users to define where to get the CVE feeds.
In this case, the URL should be a host that serves the files in the path /feeds/json/cve/1.1/.
Fleet expects to find all the JSON Feeds that can be found in https://nvd.nist.gov/vuln/data-feeds.
When not defined, Fleet downloads from the nvd.nist.gov host.
2021-08-18 21:16:59 +00:00
- Default value: `""`
- Environment variable: `FLEET_VULNERABILITIES_CVE_FEED_PREFIX_URL`
- Config file format:
```
vulnerabilities:
2022-09-01 16:02:07 +00:00
cve_feed_prefix_url: ""
2021-08-18 21:16:59 +00:00
```
2021-10-07 14:40:22 +00:00
##### current_instance_checks
2021-08-18 21:16:59 +00:00
When running multiple instances of the Fleet server, by default, one of them dynamically takes the lead in vulnerability processing. This lead can change over time. Some Fleet users want to be able to define which deployment is doing this checking. If you wish to do this, you'll need to deploy your Fleet instances with this set explicitly to no and one of them set to yes.
- Default value: `auto`
- Environment variable: `FLEET_VULNERABILITIES_CURRENT_INSTANCE_CHECKS`
- Config file format:
```
vulnerabilities:
current_instance_checks: yes
```
2023-02-17 15:00:57 +00:00
##### disable_schedule
To externally manage running vulnerability processing set the value to `true` and then run `fleet vuln_processing` using external
tools like crontab.
- Default value: `false`
- Environment variable: `FLEET_VULNERABILITIES_DISABLE_SCHEDULE`
- Config file format:
```
vulnerabilities:
disable_schedule: false
```
2021-10-07 14:40:22 +00:00
##### disable_data_sync
2021-09-14 13:58:35 +00:00
Fleet by default automatically downloads and keeps the different data streams needed to properly do vulnerability processing. In some setups, this behavior is not wanted, as access to outside resources might be blocked, or the data stream files might need review/audit before use.
In order to support vulnerability processing in such environments, we allow users to disable automatic sync of data streams with this configuration value.
To download the data streams, you can use `fleetctl vulnerability-data-stream --dir ./somedir` . The contents downloaded can then be reviewed, and finally uploaded to the defined `databases_path` in the fleet instance(s) doing the vulnerability processing.
- Default value: false
- Environment variable: `FLEET_VULNERABILITIES_DISABLE_DATA_SYNC`
- Config file format:
```
vulnerabilities:
disable_data_sync: true
2021-10-04 23:25:34 +00:00
```
2022-04-12 18:48:15 +00:00
##### recent_vulnerability_max_age
2022-10-26 23:26:49 +00:00
Maximum age of a vulnerability (a CVE) to be considered "recent". The age is calculated based on the published date of the CVE in the [National Vulnerability Database ](https://nvd.nist.gov/ ) (NVD). Recent vulnerabilities play a special role in Fleet's [automations ](https://fleetdm.com/docs/using-fleet/automations ), as they are reported when discovered on a host if the vulnerabilities webhook or a vulnerability integration is enabled.
2022-04-12 18:48:15 +00:00
- Default value: `720h` (30 days)
- Environment variable: `FLEET_VULNERABILITIES_RECENT_VULNERABILITY_MAX_AGE`
- Config file format:
```
vulnerabilities:
2022-04-14 21:33:52 +00:00
recent_vulnerability_max_age: 48h
2022-04-12 18:48:15 +00:00
```
2022-12-05 15:22:56 +00:00
##### disable_win_os_vulnerabilities
2022-08-26 18:55:03 +00:00
If using osquery 5.4 or later, Fleet by default will fetch and store all applied Windows updates and use that for detecting Windows
vulnerabilities — which might be a writing-intensive process (depending on the number of Windows hosts
in your Fleet). Setting this to true will cause Fleet to skip both processes.
- Default value: false
- Environment variable: `FLEET_VULNERABILITIES_DISABLE_WIN_OS_VULNERABILITIES`
- Config file format:
```
vulnerabilities:
disable_win_os_vulnerabilities: true
```
2022-03-31 15:34:58 +00:00
##### Example YAML
```yaml
2022-09-08 21:57:38 +00:00
vulnerabilities:
databases_path: /some/path
current_instance_checks: yes
disable_data_sync: true
2022-03-31 15:34:58 +00:00
```
2022-04-12 18:48:15 +00:00
2022-03-31 15:34:58 +00:00
#### GeoIP
2022-03-21 16:29:52 +00:00
##### database_path
2023-03-31 14:53:31 +00:00
The path to a valid Maxmind GeoIP database (mmdb). Support exists for the country & city versions of the database. If city database is supplied
2022-03-21 16:29:52 +00:00
then Fleet will attempt to resolve the location via the city lookup, otherwise it defaults to the country lookup. The IP address used
to determine location is extracted via HTTP headers in the following order: `True-Client-IP` , `X-Real-IP` , and finally `X-FORWARDED-FOR` [headers ](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For )
on the Fleet web server.
2023-03-31 14:53:31 +00:00
You can get a copy of the
[Geolite2 ](https://dev.maxmind.com/geoip/geolite2-free-geolocation-data?lang=en ) database for free by
[creating an account ](https://www.maxmind.com/en/geolite2/signup?lang=en ) on the MaxMind website,
navigating to the [download page ](https://www.maxmind.com/en/accounts/current/geoip/downloads ),
and downloading the GZIP archive. Decompress it and place the mmdb file somewhere fleet can access.
It is also possible to automatically keep the database up to date, see the
[documentation ](https://dev.maxmind.com/geoip/updating-databases?lang=en ) from MaxMind.
GeoIP databases can find what general area a device is from, but not the exact location.
They work by collecting which IP addresses ISPs use for different cities and countries and
packaging them up into a list mapping IP address to city.
You've likely seen services use GeoIP databases if they redirect you to a site specific
to your country. e.g. Google will redirect you to [google.ca ](https://google.ca ) if you visit from Canada
or Mouser will change to your local currency if you view an electronic component.
This can be useful for your fleet install if you want to tell if a device is somewhere it shouldn't
be. If a desktop machine located at a site in New York suddenly appears in London, then you can tell
that something is wrong. It can also help you differentiate machines if they have similar names,
e.g. if you have two computers "John's MacBook Pro".
While it can be a useful tool, an unexpected result could be an error in the database, a user
connecting via a mobile network which uses the same IP address for a wide area, or a user visiting
family. Checking on the location of devices too often could be invasive to employees who are keeping
work devices on them for e.g. oncall responsibilities.
2022-03-21 16:29:52 +00:00
- Default value: none
- Environment variable: `FLEET_GEOIP_DATABASE_PATH`
- Config file format:
```yaml
2022-09-08 21:57:38 +00:00
geoip:
2023-03-31 14:53:31 +00:00
database_path: /some/path/to/geolite2.mmdb
2022-03-21 16:29:52 +00:00
```
2022-12-05 15:22:56 +00:00
#### Sentry
##### DSN
If set, then `Fleet serve` will capture errors and panics and push them to Sentry.
- Default value: `""`
- Environment variable: `FLEET_SENTRY_DSN`
- Config file format:
```
sentry:
dsn: "https://somedsnprovidedby.sentry.com/"
```
#### Prometheus
##### basic_auth.username
This is the username to use for HTTP Basic Auth on the `/metrics` endpoint.
2023-03-23 22:00:11 +00:00
If `basic_auth.username` is not set, then:
- If `basic_auth.disable` is not set then the Prometheus `/metrics` endpoint is disabled.
- If `basic_auth.disable` is set then the Prometheus `/metrics` endpoint is enabled but without HTTP Basic Auth.
2022-12-05 15:22:56 +00:00
- Default value: `""`
- Environment variable: `FLEET_PROMETHEUS_BASIC_AUTH_USERNAME`
- Config file format:
```yaml
prometheus:
basic_auth:
username: "foo"
```
##### basic_auth.password
This is the password to use for HTTP Basic Auth on the `/metrics` endpoint.
2023-03-23 22:00:11 +00:00
If `basic_auth.password` is not set, then:
- If `basic_auth.disable` is not set then the Prometheus `/metrics` endpoint is disabled.
- If `basic_auth.disable` is set then the Prometheus `/metrics` endpoint is enabled but without HTTP Basic Auth.
2022-12-05 15:22:56 +00:00
- Default value: `""`
- Environment variable: `FLEET_PROMETHEUS_BASIC_AUTH_PASSWORD`
- Config file format:
```yaml
prometheus:
basic_auth:
password: "bar"
```
2023-03-23 22:00:11 +00:00
##### basic_auth.disable
This allows running the Prometheus endpoint `/metrics` without HTTP Basic Auth.
If both `basic_auth.username` and `basic_auth.password` are set, then this setting is ignored.
- Default value: false
- Environment variable: `FLEET_PROMETHEUS_BASIC_AUTH_DISABLE`
- Config file format:
```yaml
prometheus:
basic_auth:
disable: true
```
2022-12-05 15:22:56 +00:00
#### Packaging
These configurations control how Fleet interacts with the
packaging server (coming soon). These features are currently only intended to be used within
Fleet sandbox, but this is subject to change.
##### packaging_global_enroll_secret
This is the enroll secret for adding hosts to the global scope. If this value is
set, the server won't allow changes to the enroll secret via the config
endpoints.
This value should be treated as a secret. We recommend using a
cryptographically secure pseudo random string. For example, using `openssl` :
```
openssl rand -base64 24
```
This config only takes effect if you don't have a global enroll secret already
stored in your database.
- Default value: `""`
- Environment variable: `FLEET_PACKAGING_GLOBAL_ENROLL_SECRET`
- Config file format:
```yaml
packaging:
global_enroll_secret: "xyz"
```
##### packaging_s3_bucket
2023-07-22 00:33:31 +00:00
This is the name of the S3 bucket to store pre-built Fleetd installers.
2022-12-05 15:22:56 +00:00
- Default value: ""
- Environment variable: `FLEET_PACKAGING_S3_BUCKET`
- Config file format:
```
packaging:
s3:
bucket: some-bucket
```
##### packaging_s3_prefix
This is the prefix to prepend when searching for installers.
- Default value: ""
- Environment variable: `FLEET_PACKAGING_S3_PREFIX`
- Config file format:
```
packaging:
s3:
prefix:
installers-go-here/
```
##### packaging_s3_access_key_id
This is the AWS access key ID for S3 authentication.
If `s3_access_key_id` and `s3_secret_access_key` are omitted, Fleet will try to use
[the default credential provider chain ](https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials ).
The IAM identity used in this context must be allowed to perform the following actions on the bucket: `s3:GetObject` , `s3:ListBucket` .
- Default value: ""
- Environment variable: `FLEET_PACKAGING_S3_ACCESS_KEY_ID`
- Config file format:
```
packaging:
s3:
access_key_id: AKIAIOSFODNN7EXAMPLE
```
##### packaging_s3_secret_access_key
This is the AWS secret access key for S3 authentication.
- Default value: ""
- Environment variable: `FLEET_PACKAGING_S3_SECRET_ACCESS_KEY`
- Config file format:
```
packaging:
s3:
secret_access_key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
```
##### packaging_s3_sts_assume_role_arn
This is the AWS STS role ARN for S3 authentication.
- Default value: ""
- Environment variable: `FLEET_PACKAGING_S3_STS_ASSUME_ROLE_ARN`
- Config file format:
```
packaging:
s3:
sts_assume_role_arn: arn:aws:iam::1234567890:role/some-s3-role
```
##### packaging_s3_endpoint_url
This is the AWS S3 Endpoint URL. Override when using a different S3 compatible object storage backend (such as Minio)
or running S3 locally with LocalStack. Leave this blank to use the default AWS S3 service endpoint.
- Default value: ""
- Environment variable: `FLEET_PACKAGING_S3_ENDPOINT_URL`
- Config file format:
```
packaging:
s3:
endpoint_url: http://localhost:9000
```
##### packaging_s3_disable_ssl
This is the AWS S3 Disable SSL. It's useful for local testing.
- Default value: false
- Environment variable: `FLEET_PACKAGING_S3_DISABLE_SSL`
- Config file format:
```
packaging:
s3:
disable_ssl: false
```
##### packaging_s3_force_s3_path_style
This is the AWS S3 Force S3 Path Style. Set this to `true` to force the request to use path-style addressing
(e.g., `http://s3.amazonaws.com/BUCKET/KEY` ). By default, the S3 client
will use virtual hosted bucket addressing when possible
(`http://BUCKET.s3.amazonaws.com/KEY`).
See the [Virtual hosting of buckets doc ](http://docs.aws.amazon.com/AmazonS3/latest/dev/VirtualHosting.html ) for details.
- Default value: false
- Environment variable: `FLEET_PACKAGING_S3_FORCE_S3_PATH_STYLE`
- Config file format:
```
packaging:
s3:
force_s3_path_style: false
```
##### packaging_s3_region
This is the AWS S3 Region. Leave it blank to enable region discovery.
Minio users must set this to any non-empty value (e.g., `minio` ), as Minio does not support region discovery.
- Default value: ""
- Environment variable: `FLEET_PACKAGING_S3_REGION`
- Config file format:
```
packaging:
s3:
region: us-east-1
```
##### Example YAML
```yaml
packaging:
s3:
bucket: some-bucket
prefix: installers-go-here/
access_key_id: AKIAIOSFODNN7EXAMPLE
secret_access_key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
sts_assume_role_arn: arn:aws:iam::1234567890:role/some-s3-role
region: us-east-1
```
2023-03-23 22:40:13 +00:00
## Mobile device management (MDM)
2022-12-05 15:22:56 +00:00
2023-03-14 14:13:02 +00:00
> MDM features require some endpoints to be publicly accessible outside your VPN or intranet, for more details see [What API endpoints should I expose to the public internet?](./FAQ.md#what-api-endpoints-should-i-expose-to-the-public-internet)
2023-03-24 21:12:13 +00:00
This section is a reference for the configuration required to turn on MDM features in production.
If you're a Fleet contributor and you'd like to turn on MDM features in a local environment, see the guided instructions [here ](../Contributing/Testing-and-local-development.md#mdm-setup-and-testing ).
2023-03-09 15:53:40 +00:00
##### mdm.apple_apns_cert_bytes
2022-12-05 15:22:56 +00:00
2023-03-24 21:12:13 +00:00
The content of the Apple Push Notification service (APNs) certificate. An X.509 certificate, PEM-encoded. Typically generated via `fleetctl generate mdm-apple` .
2022-12-05 15:22:56 +00:00
- Default value: ""
- Environment variable: `FLEET_MDM_APPLE_APNS_CERT_BYTES`
- Config file format:
```
mdm:
apple_apns_cert_bytes: |
-----BEGIN CERTIFICATE-----
... PEM-encoded content ...
-----END CERTIFICATE-----
```
2023-03-09 15:53:40 +00:00
##### mdm.apple_apns_key_bytes
2022-12-05 15:22:56 +00:00
2023-03-24 21:12:13 +00:00
The content of the PEM-encoded private key for the Apple Push Notification service (APNs). Typically generated via `fleetctl generate mdm-apple` .
2022-12-05 15:22:56 +00:00
- Default value: ""
- Environment variable: `FLEET_MDM_APPLE_APNS_KEY_BYTES`
- Config file format:
```
mdm:
apple_apns_key_bytes: |
-----BEGIN RSA PRIVATE KEY-----
... PEM-encoded content ...
-----END RSA PRIVATE KEY-----
```
2023-03-09 15:53:40 +00:00
##### mdm.apple_scep_cert_bytes
2022-12-05 15:22:56 +00:00
2023-03-24 21:12:13 +00:00
The content of the Simple Certificate Enrollment Protocol (SCEP) certificate. An X.509 certificate, PEM-encoded. Typically generated via `fleetctl generate mdm-apple` .
2022-12-05 15:22:56 +00:00
- Default value: ""
- Environment variable: `FLEET_MDM_APPLE_SCEP_CERT_BYTES`
- Config file format:
```
mdm:
apple_scep_cert_bytes: |
-----BEGIN CERTIFICATE-----
... PEM-encoded content ...
-----END CERTIFICATE-----
```
2023-03-09 15:53:40 +00:00
##### mdm.apple_scep_key_bytes
2022-12-05 15:22:56 +00:00
2023-03-24 21:12:13 +00:00
The content of the PEM-encoded private key for the Simple Certificate Enrollment Protocol (SCEP). Typically generated via `fleetctl generate mdm-apple` .
2022-12-05 15:22:56 +00:00
- Default value: ""
- Environment variable: `FLEET_MDM_APPLE_SCEP_KEY_BYTES`
- Config file format:
```
mdm:
apple_scep_key_bytes: |
-----BEGIN RSA PRIVATE KEY-----
... PEM-encoded content ...
-----END RSA PRIVATE KEY-----
```
2023-03-23 10:30:28 +00:00
##### mdm.apple_scep_challenge
2023-03-08 18:57:02 +00:00
An alphanumeric secret for the Simple Certificate Enrollment Protocol (SCEP). Should be 32 characters in length and only include alphanumeric characters.
- Default value: ""
- Environment variable: `FLEET_MDM_APPLE_SCEP_CHALLENGE`
- Config file format:
```
2023-03-23 10:30:28 +00:00
mdm:
apple_scep_challenge: scepchallenge
```
##### mdm.apple_scep_signer_validity_days
The number of days the signed SCEP client certificates will be valid.
- Default value: 365
- Environment variable: `FLEET_MDM_APPLE_SCEP_SIGNER_VALIDITY_DAYS`
- Config file format:
```
mdm:
apple_scep_signer_validity_days: 100
```
##### mdm.apple_scep_signer_allow_renewal_days
The number of days allowed to renew SCEP certificates.
- Default value: 14
- Environment variable: `FLEET_MDM_APPLE_SCEP_SIGNER_ALLOW_RENEWAL_DAYS`
- Config file format:
```
mdm:
apple_scep_signer_allow_renewal_days: 30
2023-03-08 18:57:02 +00:00
```
2023-03-09 15:53:40 +00:00
##### mdm.apple_bm_server_token_bytes
2022-12-06 20:50:56 +00:00
2023-03-24 21:30:46 +00:00
This is the content of the Apple Business Manager encrypted server token downloaded from Apple Business Manager.
2022-12-06 20:50:56 +00:00
- Default value: ""
- Environment variable: `FLEET_MDM_APPLE_BM_SERVER_TOKEN_BYTES`
- Config file format:
```
mdm:
apple_bm_server_token_bytes: |
Content-Type: application/pkcs7-mime; name="smime.p7m"; smime-type=enveloped-data
Content-Transfer-Encoding: base64
... rest of content ...
```
2023-03-09 15:53:40 +00:00
##### mdm.apple_bm_cert_bytes
2022-12-06 20:50:56 +00:00
2023-03-24 21:30:46 +00:00
This is the content of the Apple Business Manager certificate. The certificate is a PEM-encoded X.509 certificate that's typically generated via `fleetctl generate mdm-apple-bm` .
2022-12-06 20:50:56 +00:00
- Default value: ""
- Environment variable: `FLEET_MDM_APPLE_BM_CERT_BYTES`
- Config file format:
```
mdm:
apple_bm_cert_bytes: |
-----BEGIN CERTIFICATE-----
... PEM-encoded content ...
-----END CERTIFICATE-----
```
2023-03-09 15:53:40 +00:00
##### mdm.apple_bm_key_bytes
2022-12-06 20:50:56 +00:00
2023-03-24 21:30:46 +00:00
This is the content of the PEM-encoded private key for the Apple Business Manager. It's typically generated via `fleetctl generate mdm-apple-bm` .
2022-12-06 20:50:56 +00:00
- Default value: ""
- Environment variable: `FLEET_MDM_APPLE_BM_KEY_BYTES`
- Config file format:
```
mdm:
apple_bm_key_bytes: |
-----BEGIN RSA PRIVATE KEY-----
... PEM-encoded content ...
-----END RSA PRIVATE KEY-----
```
2023-03-23 10:30:28 +00:00
##### mdm.apple_dep_sync_periodicity
The duration between DEP device syncing (fetching and setting of DEP profiles). Only relevant if Apple Business Manager (ABM) is configured.
- Default value: 1m
- Environment variable: `FLEET_MDM_APPLE_DEP_SYNC_PERIODICITY`
- Config file format:
```
mdm:
apple_dep_sync_periodicity: 10m
```
2023-03-06 17:47:29 +00:00
2020-12-24 22:00:22 +00:00
## Managing osquery configurations
2021-06-06 23:58:23 +00:00
We recommend that you use an infrastructure configuration management tool to manage these osquery configurations consistently across your environment. If you're unsure about what configuration management tools your organization uses, contact your company's system administrators. If you are evaluating new solutions for this problem, the founders of Fleet have successfully managed configurations in large production environments using [Chef ](https://www.chef.io/chef/ ) and [Puppet ](https://puppet.com/ ).
2020-12-24 22:00:22 +00:00
## Running with systemd
2021-06-06 23:58:23 +00:00
Once you've verified that you can run Fleet in your shell, you'll likely want to keep Fleet running in the background and after the server reboots. To do that we recommend using [systemd ](https://coreos.com/os/docs/latest/getting-started-with-systemd.html ).
2020-12-24 22:00:22 +00:00
2022-03-21 17:49:42 +00:00
Below is a sample unit file, assuming a `fleet` user exists on the system. Any user with sufficient
permissions to execute the binary, open the configuration files, and write the log files can be
used. It is also possible to run as `root` , though as with any other web server it is discouraged
to run Fleet as `root` .
2020-12-24 22:00:22 +00:00
```
2021-10-04 23:25:34 +00:00
2020-12-24 22:00:22 +00:00
[Unit]
Description=Fleet
After=network.target
[Service]
2022-03-21 17:49:42 +00:00
User=fleet
Group=fleet
2020-12-24 22:00:22 +00:00
LimitNOFILE=8192
ExecStart=/usr/local/bin/fleet serve \
--mysql_address=127.0.0.1:3306 \
2021-06-06 23:58:23 +00:00
--mysql_database=fleet \
2020-12-24 22:00:22 +00:00
--mysql_username=root \
--mysql_password=toor \
--redis_address=127.0.0.1:6379 \
--server_cert=/tmp/server.cert \
--server_key=/tmp/server.key \
--logging_json
[Install]
WantedBy=multi-user.target
```
Once you created the file, you need to move it to `/etc/systemd/system/fleet.service` and start the service.
```
sudo mv fleet.service /etc/systemd/system/fleet.service
sudo systemctl start fleet.service
sudo systemctl status fleet.service
sudo journalctl -u fleet.service -f
```
### Making changes
Sometimes you'll need to update the systemd unit file defining the service. To do that, first open /etc/systemd/system/fleet.service in a text editor, and make your modifications.
Then, run
```
sudo systemctl daemon-reload
sudo systemctl restart fleet.service
```
2021-04-19 18:58:44 +00:00
2021-11-08 23:25:00 +00:00
## Using a proxy
If you are in an enterprise environment where Fleet is behind a proxy and you would like to be able to retrieve Vulnerability data for [Vulnerability Processing ](https://fleetdm.com/docs/using-fleet/vulnerability-processing#vulnerability-processing ), it may be necessary to configure the proxy settings. Fleet automatically uses the `HTTP_PROXY` , `HTTPS_PROXY` , and `NO_PROXY` environment variables.
For example, to configure the proxy in a systemd service file:
```
[Service]
Environment="HTTP_PROXY=http(s)://PROXY_URL:PORT/"
Environment="HTTPS_PROXY=http(s)://PROXY_URL:PORT/"
Environment="NO_PROXY=localhost,127.0.0.1,::1"
```
After modifying the configuration you will need to reload and restart the Fleet service, as explained above.
2022-06-28 21:27:14 +00:00
## Configuring single sign-on (SSO)
2020-12-24 22:00:22 +00:00
2022-06-28 21:27:14 +00:00
Fleet supports SAML single sign-on capability.
2021-07-15 19:55:12 +00:00
2023-02-13 15:45:37 +00:00
Fleet supports both SP-initiated SAML login and IDP-initiated login. However, IDP-initiated login must be enabled in the web interface's SAML single sign-on options.
2021-07-15 19:55:12 +00:00
Fleet supports the SAML Web Browser SSO Profile using the HTTP Redirect Binding.
2020-12-24 22:00:22 +00:00
2022-09-08 21:57:38 +00:00
**Note: The email used in the SAML Assertion must match a user that already exists in Fleet unless you enable [JIT provisioning ](#just-in-time-jit-user-provisioning ).**
2022-02-08 02:51:28 +00:00
2022-02-09 06:36:06 +00:00
### Identity provider (IDP) configuration
2020-12-24 22:00:22 +00:00
2021-09-16 19:47:04 +00:00
Setting up the service provider (Fleet) with an identity provider generally requires the following information:
2020-12-24 22:00:22 +00:00
2022-06-28 21:27:14 +00:00
- _Assertion Consumer Service_ - This is the call-back URL that the identity provider
will use to send security assertions to Fleet. In Okta, this field is called _single sign-on URL_ . On Google, it is "ACS URL." The value you supply will be a fully qualified URL consisting of your Fleet web address and the call-back path `/api/v1/fleet/sso/callback` . For example, if your Fleet web address is https://fleet.example.com, then the value you would use in the identity provider configuration would be:
2020-12-24 22:00:22 +00:00
```
2022-04-14 21:33:52 +00:00
https://fleet.example.com/api/v1/fleet/sso/callback
2020-12-24 22:00:22 +00:00
```
2022-06-28 21:27:14 +00:00
- _Entity ID_ - This value is an identifier that you choose. It identifies your Fleet instance as the service provider that issues authorization requests. The value must match the Entity ID that you define in the Fleet SSO configuration.
2020-12-24 22:00:22 +00:00
2021-04-19 18:58:44 +00:00
- _Name ID Format_ - The value should be `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress` . This may be shortened in the IDP setup to something like `email` or `EmailAddress` .
2020-12-24 22:00:22 +00:00
2021-07-15 19:55:12 +00:00
- _Subject Type (Application username in Okta)_ - `email` .
2020-12-24 22:00:22 +00:00
2022-06-28 21:27:14 +00:00
After supplying the above information, the IDP will generate an issuer URI and metadata that will be used to configure Fleet as a service provider.
2020-12-24 22:00:22 +00:00
2022-02-09 23:49:11 +00:00
### Fleet SSO configuration
2020-12-24 22:00:22 +00:00
2022-06-28 21:27:14 +00:00
A Fleet user must be assigned the Admin role to configure Fleet for SSO. In Fleet, SSO configuration settings are located in **Settings > Organization settings > SAML single sign-on options** .
2021-07-15 19:55:12 +00:00
2022-06-28 21:27:14 +00:00
If your IDP supports dynamic configuration, like Okta, you only need to provide an _identity provider name_ and _entity ID_ , then paste a link in the metadata URL field. Make sure you create the SSO application within your IDP before configuring it in Fleet.
2021-07-15 19:55:12 +00:00
Otherwise, the following values are required:
2020-12-24 22:00:22 +00:00
2022-06-28 21:27:14 +00:00
- _Identity provider name_ - A human-readable name of the IDP. This is rendered on the login page.
2020-12-24 22:00:22 +00:00
2021-04-19 18:58:44 +00:00
- _Entity ID_ - A URI that identifies your Fleet instance as the issuer of authorization
2023-02-13 15:45:37 +00:00
requests (e.g., `fleet.example.com` ). This must match the _Entity ID_ configured with the IDP.
2020-12-24 22:00:22 +00:00
2022-06-28 21:27:14 +00:00
- _Metadata URL_ - Obtain this value from the IDP and is used by Fleet to
2021-04-19 18:58:44 +00:00
issue authorization requests to the IDP.
2020-12-24 22:00:22 +00:00
2021-04-19 18:58:44 +00:00
- _Metadata_ - If the IDP does not provide a metadata URL, the metadata must
be obtained from the IDP and entered. Note that the metadata URL is preferred if
the IDP provides metadata in both forms.
2020-12-24 22:00:22 +00:00
2022-02-09 23:49:11 +00:00
#### Example Fleet SSO configuration
2020-12-24 22:00:22 +00:00
2021-06-15 23:16:16 +00:00
![Example SSO Configuration ](https://raw.githubusercontent.com/fleetdm/fleet/main/docs/images/sso-setup.png )
2020-12-24 22:00:22 +00:00
### Creating SSO users in Fleet
2022-06-28 21:27:14 +00:00
When an admin creates a new user in Fleet, they may select the `Enable single sign on` option. The
SSO-enabled users will not be able to sign in with a regular user ID and password.
2021-07-15 19:55:12 +00:00
2022-06-28 21:27:14 +00:00
It is strongly recommended that at least one admin user is set up to use the traditional password-based login so that there is a fallback method for logging into Fleet in the event of SSO
2020-12-24 22:00:22 +00:00
configuration problems.
2022-06-28 21:27:14 +00:00
> Individual users must also be set up on the IDP before signing in to Fleet.
2022-08-15 18:26:55 +00:00
2022-02-08 04:56:02 +00:00
### Enabling SSO for existing users in Fleet
2023-03-28 18:30:32 +00:00
As an admin, you can enable SSO for existing users in Fleet. To do this, go to the Settings page,
then click on the Users tab. Locate the user you want to enable SSO for, and in the Actions dropdown
menu for that user, click on "Edit." In the dialogue that opens, check the box labeled "Enable
single sign-on," then click "Save." If you are unable to check that box, you must first [configure
and enable SSO for the organization](https://fleetdm.com/docs/deploying/configuration#configuring-single-sign-on-sso).
2022-02-08 04:56:02 +00:00
2022-08-15 18:26:55 +00:00
### Just-in-time (JIT) user provisioning
2022-09-08 19:22:32 +00:00
`Applies only to Fleet Premium`
2022-08-15 18:26:55 +00:00
When JIT user provisioning is turned on, Fleet will automatically create an account when a user logs in for the first time with the configured SSO. This removes the need to create individual user accounts for a large organization.
2023-03-01 23:18:40 +00:00
The new account's email and full name are copied from the user data in the SSO response.
By default, accounts created via JIT provisioning are assigned the [Global Observer role ](https://fleetdm.com/docs/using-fleet/permissions ).
To assign different roles for accounts created via JIT provisioning see [Customization of user roles ](#customization-of-user-roles ) below.
2022-08-15 18:26:55 +00:00
2023-05-30 20:49:59 +00:00
To enable this option, go to **Settings > Organization settings > single sign-on options** and check "_Create user and sync permissions on login_" or [adjust your config ](#sso-settings-enable-jit-provisioning ).
2022-08-15 18:26:55 +00:00
For this to work correctly make sure that:
- Your IDP is configured to send the user email as the Name ID (instructions for configuring different providers are detailed below)
- Your IDP sends the full name of the user as an attribute with any of the following names (if this value is not provided Fleet will fallback to the user email)
- `name`
- `displayname`
- `cn`
- `urn:oid:2.5.4.3`
- `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`
2023-03-01 23:18:40 +00:00
#### Customization of user roles
2023-05-30 20:49:59 +00:00
> This feature requires setting `sso_settings.enable_jit_provisioning` to `true`.
2023-03-01 23:18:40 +00:00
Users created via JIT provisioning can be assigned Fleet roles using SAML custom attributes that are sent by the IdP in `SAMLResponse` s during login.
Fleet will attempt to parse SAML custom attributes with the following format:
- `FLEET_JIT_USER_ROLE_GLOBAL` : Specifies the global role to use when creating the user.
- `FLEET_JIT_USER_ROLE_TEAM_<TEAM_ID>` : Specifies team role for team with ID `<TEAM_ID>` to use when creating the user.
2023-05-30 19:57:03 +00:00
Currently supported values for the above attributes are: `admin` , `maintainer` , `observer` , `observer_plus` and `null` .
A role attribute with value `null` will be ignored by Fleet. (This is to support limitations on some IdPs which do not allow you to choose what keys are sent to Fleet when creating a new user.)
2023-03-01 23:18:40 +00:00
SAML supports multi-valued attributes, Fleet will always use the last value.
NOTE: Setting both `FLEET_JIT_USER_ROLE_GLOBAL` and `FLEET_JIT_USER_ROLE_TEAM_<TEAM_ID>` will cause an error during login as Fleet users cannot be Global users and belong to teams.
2023-05-30 20:49:59 +00:00
Following is the behavior that will take place on every SSO login:
A. If the account does not exist then:
- If the `SAMLResponse` has any role attributes then those will be used to set the account roles.
- If the `SAMLResponse` does not have any role attributes set, then Fleet will default to use the `Global Observer` role.
B. If the account already exists:
- If the `SAMLResponse` has any role attributes then those will be used to update the account roles.
- If the `SAMLResponse` does not have any role attributes set, no role change is attempted.
2023-03-01 23:18:40 +00:00
Here's a `SAMLResponse` sample to set the role of SSO users to Global `admin` :
```xml
[...]
< saml2:Assertion ID = "id16311976805446352575023709" IssueInstant = "2023-02-27T17:41:53.505Z" Version = "2.0" xmlns:saml2 = "urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs = "http://www.w3.org/2001/XMLSchema" >
< saml2:Issuer Format = "urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2 = "urn:oasis:names:tc:SAML:2.0:assertion" > http://www.okta.com/exk8glknbnr9Lpdkl5d7< / saml2:Issuer >
[...]
< saml2:Subject xmlns:saml2 = "urn:oasis:names:tc:SAML:2.0:assertion" >
< saml2:NameID Format = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" > bar@foo.example.com< / saml2:NameID >
< saml2:SubjectConfirmation Method = "urn:oasis:names:tc:SAML:2.0:cm:bearer" >
< saml2:SubjectConfirmationData InResponseTo = "id1Juy6Mx2IHYxLwsi" NotOnOrAfter = "2023-02-27T17:46:53.506Z" Recipient = "https://foo.example.com/api/v1/fleet/sso/callback" / >
< / saml2:SubjectConfirmation >
< / saml2:Subject >
[...]
< saml2:AttributeStatement xmlns:saml2 = "urn:oasis:names:tc:SAML:2.0:assertion" >
< saml2:Attribute Name = "FLEET_JIT_USER_ROLE_GLOBAL" NameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" >
< saml2:AttributeValue xmlns:xs = "http://www.w3.org/2001/XMLSchema" xmlns:xsi = "http://www.w3.org/2001/XMLSchema-instance" xsi:type = "xs:string" > admin< / saml2:AttributeValue >
< / saml2:Attribute >
< / saml2:AttributeStatement >
< / saml2:Assertion >
[...]
```
Here's a `SAMLResponse` sample to set the role of SSO users to `observer` in team with ID `1` and `maintainer` in team with ID `2` :
```xml
[...]
< saml2:Assertion ID = "id16311976805446352575023709" IssueInstant = "2023-02-27T17:41:53.505Z" Version = "2.0" xmlns:saml2 = "urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs = "http://www.w3.org/2001/XMLSchema" >
< saml2:Issuer Format = "urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2 = "urn:oasis:names:tc:SAML:2.0:assertion" > http://www.okta.com/exk8glknbnr9Lpdkl5d7< / saml2:Issuer >
[...]
< saml2:Subject xmlns:saml2 = "urn:oasis:names:tc:SAML:2.0:assertion" >
< saml2:NameID Format = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" > bar@foo.example.com< / saml2:NameID >
< saml2:SubjectConfirmation Method = "urn:oasis:names:tc:SAML:2.0:cm:bearer" >
< saml2:SubjectConfirmationData InResponseTo = "id1Juy6Mx2IHYxLwsi" NotOnOrAfter = "2023-02-27T17:46:53.506Z" Recipient = "https://foo.example.com/api/v1/fleet/sso/callback" / >
< / saml2:SubjectConfirmation >
< / saml2:Subject >
[...]
< saml2:AttributeStatement xmlns:saml2 = "urn:oasis:names:tc:SAML:2.0:assertion" >
< saml2:Attribute Name = "FLEET_JIT_USER_ROLE_TEAM_1" NameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" >
< saml2:AttributeValue xmlns:xs = "http://www.w3.org/2001/XMLSchema" xmlns:xsi = "http://www.w3.org/2001/XMLSchema-instance" xsi:type = "xs:string" > observer< / saml2:AttributeValue >
< / saml2:Attribute >
< saml2:Attribute Name = "FLEET_JIT_USER_ROLE_TEAM_2" NameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" >
< saml2:AttributeValue xmlns:xs = "http://www.w3.org/2001/XMLSchema" xmlns:xsi = "http://www.w3.org/2001/XMLSchema-instance" xsi:type = "xs:string" > maintainer< / saml2:AttributeValue >
< / saml2:Attribute >
< / saml2:AttributeStatement >
< / saml2:Assertion >
[...]
```
Each IdP will have its own way of setting these SAML custom attributes, here are instructions for how to set it for Okta: https://support.okta.com/help/s/article/How-to-define-and-configure-a-custom-SAML-attribute-statement?language=en_US.
2022-02-09 23:49:11 +00:00
#### Okta IDP configuration
2021-09-16 19:47:04 +00:00
![Example Okta IDP Configuration ](https://raw.githubusercontent.com/fleetdm/fleet/main/docs/images/okta-idp-setup.png )
2022-06-06 21:19:09 +00:00
Once configured, you will need to retrieve the Issuer URI from the `View Setup Instructions` and metadata URL from the `Identity Provider metadata` link within the application `Sign on` settings. See below for where to find them:
2021-09-16 19:47:04 +00:00
2022-06-03 16:26:24 +00:00
![Where to find SSO links for Fleet ](https://raw.githubusercontent.com/fleetdm/fleet/main/docs/images/okta-retrieve-links.png )
2022-06-28 21:27:14 +00:00
> The Provider Sign-on URL within the `View Setup Instructions` has a similar format as the Provider SAML Metadata URL, but this link provides a redirect to _sign into_ the application, not the metadata necessary for dynamic configuration.
2022-06-03 16:26:24 +00:00
> The names of the items required to configure an identity provider may vary from provider to provider and may not conform to the SAML spec.
2021-09-16 19:47:04 +00:00
2021-10-07 14:40:22 +00:00
#### Google Workspace IDP Configuration
2021-09-16 19:47:04 +00:00
Follow these steps to configure Fleet SSO with Google Workspace. This will require administrator permissions in Google Workspace.
1. Navigate to the [Web and Mobile Apps ](https://admin.google.com/ac/apps/unified ) section of the Google Workspace dashboard. Click _Add App -> Add custom SAML app_ .
2022-02-24 22:56:35 +00:00
![The Google Workspace admin dashboard ](https://raw.githubusercontent.com/fleetdm/fleet/main/docs/images/google-sso-configuration-step-1.png )
2021-09-16 19:47:04 +00:00
2. Enter `Fleet` for the _App name_ and click _Continue_ .
2022-02-24 22:56:35 +00:00
![Adding a new app to Google workspace admin dashboard ](https://raw.githubusercontent.com/fleetdm/fleet/main/docs/images/google-sso-configuration-step-2.png )
2021-09-16 19:47:04 +00:00
2023-03-27 17:31:30 +00:00
3. Click _Download Metadata_ , saving the metadata to your computer. Click _Continue_ .
2021-09-16 19:47:04 +00:00
2023-03-27 17:31:30 +00:00
![Download metadata ](https://raw.githubusercontent.com/fleetdm/fleet/main/docs/images/google-sso-configuration-step-3.png )
2021-09-16 19:47:04 +00:00
2022-06-28 21:27:14 +00:00
4. In Fleet, navigate to the _Organization Settings_ page. Configure the _SAML single sign-on options_ section.
2021-09-16 19:47:04 +00:00
2022-06-28 21:27:14 +00:00
- Check the _Enable single sign-on_ checkbox.
- For _Identity provider name_ , use `Google` .
2022-02-24 22:56:35 +00:00
- For _Entity ID_ , use a unique identifier such as `fleet.example.com` . Note that Google seems to error when the provided ID includes `https://` .
2022-06-28 21:27:14 +00:00
- For _Metadata_ , paste the contents of the downloaded metadata XML from step three.
2022-02-24 22:56:35 +00:00
- All other fields can be left blank.
2021-09-16 19:47:04 +00:00
2022-02-24 22:56:35 +00:00
Click _Update settings_ at the bottom of the page.
2021-09-16 19:47:04 +00:00
2022-02-24 22:56:35 +00:00
![Fleet's SAML single sign on options page ](https://raw.githubusercontent.com/fleetdm/fleet/main/docs/images/google-sso-configuration-step-4.png )
2021-09-16 19:47:04 +00:00
5. In Google Workspace, configure the _Service provider details_ .
2022-06-28 21:27:14 +00:00
- For _ACS URL_ , use `https://<your_fleet_url>/api/v1/fleet/sso/callback` (e.g., `https://fleet.example.com/api/v1/fleet/sso/callback` ).
- For Entity ID, use **the same unique identifier from step four** (e.g., `fleet.example.com` ).
- For _Name ID format_ , choose `EMAIL` .
- For _Name ID_ , choose `Basic Information > Primary email` .
2022-02-24 22:56:35 +00:00
- All other fields can be left blank.
2021-09-16 19:47:04 +00:00
2022-02-24 22:56:35 +00:00
Click _Continue_ at the bottom of the page.
2021-09-16 19:47:04 +00:00
2022-02-24 22:56:35 +00:00
![Configuring the service provider details in Google Workspace ](https://raw.githubusercontent.com/fleetdm/fleet/main/docs/images/google-sso-configuration-step-5.png )
2021-09-16 19:47:04 +00:00
6. Click _Finish_ .
2022-02-24 22:56:35 +00:00
![Finish configuring the new SAML app in Google Workspace ](https://raw.githubusercontent.com/fleetdm/fleet/main/docs/images/google-sso-configuration-step-6.png )
2021-09-16 19:47:04 +00:00
7. Click the down arrow on the _User access_ section of the app details page.
2022-02-24 22:56:35 +00:00
![The new SAML app's details page in Google Workspace ](https://raw.githubusercontent.com/fleetdm/fleet/main/docs/images/google-sso-configuration-step-7.png )
2021-09-16 19:47:04 +00:00
8. Check _ON for everyone_ . Click _Save_ .
2022-02-24 22:56:35 +00:00
![The new SAML app's service status page in Google Workspace ](https://raw.githubusercontent.com/fleetdm/fleet/main/docs/images/google-sso-configuration-step-8.png )
2021-09-16 19:47:04 +00:00
9. Enable SSO for a test user and try logging in. Note that Google sometimes takes a long time to propagate the SSO configuration, and it can help to try logging in to Fleet with an Incognito/Private window in the browser.
2023-02-17 16:00:56 +00:00
## Public IPs of devices
> IMPORTANT: In order for this feature to work properly, devices must connect to Fleet via the public internet.
> If the agent connects to Fleet via a private network then the "Public IP address" for such device will not be set.
Fleet attempts to deduce the public IP of devices from well-known HTTP headers received on requests made by the osquery agent.
2021-04-26 15:44:22 +00:00
2023-02-17 16:00:56 +00:00
The HTTP request headers are checked in the following order:
1. If `True-Client-IP` header is set, then Fleet will extract its value.
2. If `X-Real-IP` header is set, then Fleet will extract its value.
3. If `X-Forwarded-For` header is set, then Fleet will extract the first comma-separated value.
4. If none of the above headers are present in the HTTP request then Fleet will attempt to use the remote address of the TCP connection (note that on deployments with ingress proxies the remote address seen by Fleet is the IP of the ingress proxy).
2021-04-26 15:44:22 +00:00
2023-02-21 17:56:24 +00:00
If the IP retrieved using the above heuristic belongs to a private range, then Fleet will ignore it and will not set the "Public IP address" field for the device.
2023-07-13 16:57:17 +00:00
< meta name = "pageOrderInSection" value = "300" >
< meta name = "description" value = "This page includes resources for configuring the Fleet binary, managing osquery configurations, and running with systemd." >