empayre/fleet
14
0
Fork 0
mirror of https://github.com/empayre/fleet.git synced 2024-11-06 00:45:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Updated flags for osquery 5.11 (#16239)

Browse Source 
#16180
osquery flag validation has been updated for osquery 5.11
- new flags have been added to validation
- `table_exceptions` flag has been replaced with
`ignore_table_exceptions`

NOTE: It appears the last time this flow was run on Linux. I moved
several flags from the automatically generated section to the linux
section.

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

<!-- Note that API documentation changes are now addressed by the
product design team. -->

- [x] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
This commit is contained in:
Victor Lyuboslavsky 2024-01-24 12:24:11 -06:00 committed by GitHub
parent 99163d5dfc
commit 970a37c87b
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
5 changed files with 101 additions and 69 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
changes/16180-osquery-flags Normal file
View File

@ -0,0 +1,3 @@
osquery flag validation has been updated for osquery 5.11
- new flags have been added to validation
- `table_exceptions` flag has been replaced with `ignore_table_exceptions`

115
server/fleet/agent_options.go
View File

@ -152,7 +152,7 @@ func validateJSONAgentOptionsExtensions(ctx context.Context, ds Datastore, optsE
// See https://osquery.readthedocs.io/en/stable/deployment/configuration/#configuration-specification
//
// NOTE: Update the following line with the version used for validation.
// Current version: 5.5.1
// Current version: 5.11.0
type osqueryAgentOptions struct {
Options osqueryOptions `json:"options"`
@ -211,35 +211,27 @@ type osqueryAgentOptions struct {
// NOTE: generate automatically with `go run ./tools/osquery-agent-options/main.go`
type osqueryOptions struct {
AuditAllowAcceptSocketEvents bool `json:"audit_allow_accept_socket_events"`
AuditAllowApparmorEvents bool `json:"audit_allow_apparmor_events"`
AuditAllowConfig bool `json:"audit_allow_config"`
AuditAllowFailedSocketEvents bool `json:"audit_allow_failed_socket_events"`
AuditAllowFimEvents bool `json:"audit_allow_fim_events"`
AuditAllowForkProcessEvents bool `json:"audit_allow_fork_process_events"`
AuditAllowKillProcessEvents bool `json:"audit_allow_kill_process_events"`
AuditAllowNullAcceptSocketEvents bool `json:"audit_allow_null_accept_socket_events"`
AuditAllowProcessEvents bool `json:"audit_allow_process_events"`
AuditAllowSeccompEvents bool `json:"audit_allow_seccomp_events"`
AuditAllowSelinuxEvents bool `json:"audit_allow_selinux_events"`
AuditAllowSockets bool `json:"audit_allow_sockets"`
AuditAllowUserEvents bool `json:"audit_allow_user_events"`
AuditBacklogLimit int32 `json:"audit_backlog_limit"`
AuditBacklogWaitTime int32 `json:"audit_backlog_wait_time"`
AuditForceReconfigure bool `json:"audit_force_reconfigure"`
AuditForceUnconfigure bool `json:"audit_force_unconfigure"`
AuditPersist bool `json:"audit_persist"`
AugeasLenses string `json:"augeas_lenses"`
AwsAccessKeyId string `json:"aws_access_key_id"`
AwsDebug bool `json:"aws_debug"`
AwsDisableImdsv1Fallback bool `json:"aws_disable_imdsv1_fallback"`
AwsEnableProxy bool `json:"aws_enable_proxy"`
AwsFirehoseEndpoint string `json:"aws_firehose_endpoint"`
AwsFirehosePeriod uint64 `json:"aws_firehose_period"`
AwsFirehoseRegion string `json:"aws_firehose_region"`
AwsFirehoseStream string `json:"aws_firehose_stream"`
AwsImdsv2RequestAttempts uint32 `json:"aws_imdsv2_request_attempts"`
AwsImdsv2RequestInterval uint32 `json:"aws_imdsv2_request_interval"`
AwsKinesisDisableLogStatus bool `json:"aws_kinesis_disable_log_status"`
AwsKinesisEndpoint string `json:"aws_kinesis_endpoint"`
AwsKinesisPeriod uint64 `json:"aws_kinesis_period"`
AwsKinesisRandomPartitionKey bool `json:"aws_kinesis_random_partition_key"`
AwsKinesisRegion string `json:"aws_kinesis_region"`
AwsKinesisStream string `json:"aws_kinesis_stream"`
AwsProfileName string `json:"aws_profile_name"`
AwsProxyHost string `json:"aws_proxy_host"`
@ -254,8 +246,6 @@ type osqueryOptions struct {
AwsStsRegion string `json:"aws_sts_region"`
AwsStsSessionName string `json:"aws_sts_session_name"`
AwsStsTimeout uint64 `json:"aws_sts_timeout"`
BpfBufferStorageSize uint64 `json:"bpf_buffer_storage_size"`
BpfPerfEventArrayExp uint64 `json:"bpf_perf_event_array_exp"`
BufferedLogMax uint64 `json:"buffered_log_max"`
DecorationsTopLevel bool `json:"decorations_top_level"`
DisableAudit bool `json:"disable_audit"`
@ -266,7 +256,6 @@ type osqueryOptions struct {
DisableEvents bool `json:"disable_events"`
DisableHashCache bool `json:"disable_hash_cache"`
DisableLogging bool `json:"disable_logging"`
DisableMemory bool `json:"disable_memory"`
DistributedDenylistDuration uint64 `json:"distributed_denylist_duration"`
DistributedInterval uint64 `json:"distributed_interval"`
DistributedLoginfo bool `json:"distributed_loginfo"`
@ -275,18 +264,21 @@ type osqueryOptions struct {
DistributedTlsReadEndpoint string `json:"distributed_tls_read_endpoint"`
DistributedTlsWriteEndpoint string `json:"distributed_tls_write_endpoint"`
DockerSocket string `json:"docker_socket"`
EnableBpfEvents bool `json:"enable_bpf_events"`
EnableFileEvents bool `json:"enable_file_events"`
EnableForeign bool `json:"enable_foreign"`
EnableNumericMonitoring bool `json:"enable_numeric_monitoring"`
EnableSyslog bool `json:"enable_syslog"`
Ephemeral bool `json:"ephemeral"`
EsFimEnableOpenEvents bool `json:"es_fim_enable_open_events"`
EventsExpiry uint64 `json:"events_expiry"`
EventsMax uint64 `json:"events_max"`
EventsOptimize bool `json:"events_optimize"`
ExperimentList string `json:"experiment_list"`
ExtensionsDefaultIndex bool `json:"extensions_default_index"`
HashCacheMax uint32 `json:"hash_cache_max"`
HostIdentifier string `json:"host_identifier"`
IgnoreTableExceptions bool `json:"ignore_table_exceptions"`
KeychainAccessCache bool `json:"keychain_access_cache"`
KeychainAccessInterval uint32 `json:"keychain_access_interval"`
LoggerEventType bool `json:"logger_event_type"`
LoggerKafkaAcks string `json:"logger_kafka_acks"`
LoggerKafkaBrokers string `json:"logger_kafka_brokers"`
@ -307,7 +299,6 @@ type osqueryOptions struct {
LoggerTlsMaxLines uint64 `json:"logger_tls_max_lines"`
LoggerTlsMaxLinesize uint64 `json:"logger_tls_max_linesize"`
LoggerTlsPeriod uint64 `json:"logger_tls_period"`
LxdSocket string `json:"lxd_socket"`
Nullvalue string `json:"nullvalue"`
NumericMonitoringFilesystemPath string `json:"numeric_monitoring_filesystem_path"`
NumericMonitoringPlugins string `json:"numeric_monitoring_plugins"`
@ -323,12 +314,7 @@ type osqueryOptions struct {
ScheduleSplayPercent uint64 `json:"schedule_splay_percent"`
ScheduleTimeout uint64 `json:"schedule_timeout"`
SpecifiedIdentifier string `json:"specified_identifier"`
SyslogEventsExpiry uint64 `json:"syslog_events_expiry"`
SyslogEventsMax uint64 `json:"syslog_events_max"`
SyslogPipePath string `json:"syslog_pipe_path"`
SyslogRateLimit uint64 `json:"syslog_rate_limit"`
TableDelay uint64 `json:"table_delay"`
TableExceptions bool `json:"table_exceptions"`
ThriftStringSizeLimit int32 `json:"thrift_string_size_limit"`
ThriftTimeout uint32 `json:"thrift_timeout"`
ThriftVerbose bool `json:"thrift_verbose"`
@ -347,35 +333,28 @@ type osqueryOptions struct {
// NOTE: generate automatically with `go run ./tools/osquery-agent-options/main.go`
type osqueryCommandLineFlags struct {
AlarmTimeout uint64 `json:"alarm_timeout"`
AuditAllowAcceptSocketEvents bool `json:"audit_allow_accept_socket_events"`
AuditAllowApparmorEvents bool `json:"audit_allow_apparmor_events"`
AuditAllowConfig bool `json:"audit_allow_config"`
AuditAllowFailedSocketEvents bool `json:"audit_allow_failed_socket_events"`
AuditAllowFimEvents bool `json:"audit_allow_fim_events"`
AuditAllowForkProcessEvents bool `json:"audit_allow_fork_process_events"`
AuditAllowKillProcessEvents bool `json:"audit_allow_kill_process_events"`
AuditAllowNullAcceptSocketEvents bool `json:"audit_allow_null_accept_socket_events"`
AuditAllowProcessEvents bool `json:"audit_allow_process_events"`
AuditAllowSeccompEvents bool `json:"audit_allow_seccomp_events"`
AuditAllowSelinuxEvents bool `json:"audit_allow_selinux_events"`
AuditAllowSockets bool `json:"audit_allow_sockets"`
AuditAllowUserEvents bool `json:"audit_allow_user_events"`
AuditBacklogLimit int32 `json:"audit_backlog_limit"`
AuditBacklogWaitTime int32 `json:"audit_backlog_wait_time"`
AuditForceReconfigure bool `json:"audit_force_reconfigure"`
AuditForceUnconfigure bool `json:"audit_force_unconfigure"`
AuditPersist bool `json:"audit_persist"`
AugeasLenses string `json:"augeas_lenses"`
AwsAccessKeyId string `json:"aws_access_key_id"`
AwsDebug bool `json:"aws_debug"`
AwsDisableImdsv1Fallback bool `json:"aws_disable_imdsv1_fallback"`
AwsEnableProxy bool `json:"aws_enable_proxy"`
AwsEnforceFips bool `json:"aws_enforce_fips"`
AwsFirehoseEndpoint string `json:"aws_firehose_endpoint"`
AwsFirehosePeriod uint64 `json:"aws_firehose_period"`
AwsFirehoseRegion string `json:"aws_firehose_region"`
AwsFirehoseStream string `json:"aws_firehose_stream"`
AwsImdsv2RequestAttempts uint32 `json:"aws_imdsv2_request_attempts"`
AwsImdsv2RequestInterval uint32 `json:"aws_imdsv2_request_interval"`
AwsKinesisDisableLogStatus bool `json:"aws_kinesis_disable_log_status"`
AwsKinesisEndpoint string `json:"aws_kinesis_endpoint"`
AwsKinesisPeriod uint64 `json:"aws_kinesis_period"`
AwsKinesisRandomPartitionKey bool `json:"aws_kinesis_random_partition_key"`
AwsKinesisRegion string `json:"aws_kinesis_region"`
AwsKinesisStream string `json:"aws_kinesis_stream"`
AwsProfileName string `json:"aws_profile_name"`
AwsProxyHost string `json:"aws_proxy_host"`
@ -390,8 +369,6 @@ type osqueryCommandLineFlags struct {
AwsStsRegion string `json:"aws_sts_region"`
AwsStsSessionName string `json:"aws_sts_session_name"`
AwsStsTimeout uint64 `json:"aws_sts_timeout"`
BpfBufferStorageSize uint64 `json:"bpf_buffer_storage_size"`
BpfPerfEventArrayExp uint64 `json:"bpf_perf_event_array_exp"`
BufferedLogMax uint64 `json:"buffered_log_max"`
CarverBlockSize uint32 `json:"carver_block_size"`
CarverCompression bool `json:"carver_compression"`
@ -423,7 +400,6 @@ type osqueryCommandLineFlags struct {
DisableExtensions bool `json:"disable_extensions"`
DisableHashCache bool `json:"disable_hash_cache"`
DisableLogging bool `json:"disable_logging"`
DisableMemory bool `json:"disable_memory"`
DisableReenrollment bool `json:"disable_reenrollment"`
DisableTables string `json:"disable_tables"`
DisableWatchdog bool `json:"disable_watchdog"`
@ -435,32 +411,35 @@ type osqueryCommandLineFlags struct {
DistributedTlsReadEndpoint string `json:"distributed_tls_read_endpoint"`
DistributedTlsWriteEndpoint string `json:"distributed_tls_write_endpoint"`
DockerSocket string `json:"docker_socket"`
EnableBpfEvents bool `json:"enable_bpf_events"`
EnableExtensionsWatchdog bool `json:"enable_extensions_watchdog"`
EnableFileEvents bool `json:"enable_file_events"`
EnableForeign bool `json:"enable_foreign"`
EnableNumericMonitoring bool `json:"enable_numeric_monitoring"`
EnableSyslog bool `json:"enable_syslog"`
EnableTables string `json:"enable_tables"`
EnableWatchdogDebug bool `json:"enable_watchdog_debug"`
EnrollAlways bool `json:"enroll_always"`
EnrollSecretEnv string `json:"enroll_secret_env"`
EnrollSecretPath string `json:"enroll_secret_path"`
EnrollTlsEndpoint string `json:"enroll_tls_endpoint"`
Ephemeral bool `json:"ephemeral"`
EsFimEnableOpenEvents bool `json:"es_fim_enable_open_events"`
EventsExpiry uint64 `json:"events_expiry"`
EventsMax uint64 `json:"events_max"`
EventsOptimize bool `json:"events_optimize"`
ExperimentList string `json:"experiment_list"`
ExtensionsAutoload string `json:"extensions_autoload"`
ExtensionsDefaultIndex bool `json:"extensions_default_index"`
ExtensionsInterval uint64 `json:"extensions_interval"`
ExtensionsInterval string `json:"extensions_interval"`
ExtensionsRequire string `json:"extensions_require"`
ExtensionsSocket string `json:"extensions_socket"`
ExtensionsTimeout uint64 `json:"extensions_timeout"`
ExtensionsTimeout string `json:"extensions_timeout"`
Force bool `json:"force"`
HashCacheMax uint32 `json:"hash_cache_max"`
HostIdentifier string `json:"host_identifier"`
IgnoreTableExceptions bool `json:"ignore_table_exceptions"`
Install bool `json:"install"`
KeepContainerWorkerOpen bool `json:"keep_container_worker_open"`
KeychainAccessCache bool `json:"keychain_access_cache"`
KeychainAccessInterval uint32 `json:"keychain_access_interval"`
LoggerEventType bool `json:"logger_event_type"`
LoggerKafkaAcks string `json:"logger_kafka_acks"`
LoggerKafkaBrokers string `json:"logger_kafka_brokers"`
@ -485,7 +464,6 @@ type osqueryCommandLineFlags struct {
LoggerTlsMaxLinesize uint64 `json:"logger_tls_max_linesize"`
LoggerTlsPeriod uint64 `json:"logger_tls_period"`
Logtostderr bool `json:"logtostderr"`
LxdSocket string `json:"lxd_socket"`
Nullvalue string `json:"nullvalue"`
NumericMonitoringFilesystemPath string `json:"numeric_monitoring_filesystem_path"`
NumericMonitoringPlugins string `json:"numeric_monitoring_plugins"`
@ -504,12 +482,7 @@ type osqueryCommandLineFlags struct {
ScheduleTimeout uint64 `json:"schedule_timeout"`
SpecifiedIdentifier string `json:"specified_identifier"`
Stderrthreshold int32 `json:"stderrthreshold"`
SyslogEventsExpiry uint64 `json:"syslog_events_expiry"`
SyslogEventsMax uint64 `json:"syslog_events_max"`
SyslogPipePath string `json:"syslog_pipe_path"`
SyslogRateLimit uint64 `json:"syslog_rate_limit"`
TableDelay uint64 `json:"table_delay"`
TableExceptions bool `json:"table_exceptions"`
ThriftStringSizeLimit int32 `json:"thrift_string_size_limit"`
ThriftTimeout uint32 `json:"thrift_timeout"`
ThriftVerbose bool `json:"thrift_verbose"`
@ -544,8 +517,34 @@ type osqueryCommandLineFlags struct {
// osquery. They are exported so they can be used by the
// tools/osquery-agent-options script.
type OsqueryCommandLineFlagsLinux struct {
MallocTrimThreshold uint64 `json:"malloc_trim_threshold"`
AuditAllowAcceptSocketEvents bool `json:"audit_allow_accept_socket_events"`
AuditAllowApparmorEvents bool `json:"audit_allow_apparmor_events"`
AuditAllowFailedSocketEvents bool `json:"audit_allow_failed_socket_events"`
AuditAllowForkProcessEvents bool `json:"audit_allow_fork_process_events"`
AuditAllowKillProcessEvents bool `json:"audit_allow_kill_process_events"`
AuditAllowNullAcceptSocketEvents bool `json:"audit_allow_null_accept_socket_events"`
AuditAllowSeccompEvents bool `json:"audit_allow_seccomp_events"`
AuditAllowSelinuxEvents bool `json:"audit_allow_selinux_events"`
AuditBacklogLimit int32 `json:"audit_backlog_limit"`
AuditBacklogWaitTime int32 `json:"audit_backlog_wait_time"`
AuditForceReconfigure bool `json:"audit_force_reconfigure"`
AuditForceUnconfigure bool `json:"audit_force_unconfigure"`
AuditPersist bool `json:"audit_persist"`
BpfBufferStorageSize uint64 `json:"bpf_buffer_storage_size"`
BpfPerfEventArrayExp uint64 `json:"bpf_perf_event_array_exp"`
DisableMemory bool `json:"disable_memory"`
EnableBpfEvents bool `json:"enable_bpf_events"`
EnableSyslog bool `json:"enable_syslog"`
ExperimentsLinuxeventsCircularBufferSize uint32 `json:"experiments_linuxevents_circular_buffer_size"`
ExperimentsLinuxeventsPerfOutputSize uint32 `json:"experiments_linuxevents_perf_output_size"`
HardwareDisabledTypes string `json:"hardware_disabled_types"`
KeepContainerWorkerOpen bool `json:"keep_container_worker_open"`
LxdSocket string `json:"lxd_socket"`
MallocTrimThreshold uint64 `json:"malloc_trim_threshold"`
SyslogEventsExpiry uint64 `json:"syslog_events_expiry"`
SyslogEventsMax uint64 `json:"syslog_events_max"`
SyslogPipePath string `json:"syslog_pipe_path"`
SyslogRateLimit uint64 `json:"syslog_rate_limit"`
}
type OsqueryCommandLineFlagsWindows struct {
@ -555,8 +554,17 @@ type OsqueryCommandLineFlagsWindows struct {
GroupsServiceInterval uint64 `json:"groups_service_interval"`
EnableNtfsEventPublisher bool `json:"enable_ntfs_event_publisher"`
EnablePowershellEventsSubscriber bool `json:"enable_powershell_events_subscriber"`
EnableProcessEtwEvents bool `json:"enable_process_etw_events"`
EnableWindowsEventsPublisher bool `json:"enable_windows_events_publisher"`
EnableWindowsEventsSubscriber bool `json:"enable_windows_events_subscriber"`
EtwKernelTraceBufferSize uint32 `json:"etw_kernel_trace_buffer_size"`
EtwKernelTraceFlushTimer uint32 `json:"etw_kernel_trace_flush_timer"`
EtwKernelTraceMaximumBuffers uint32 `json:"etw_kernel_trace_maximum_buffers"`
EtwKernelTraceMinimumBuffers uint32 `json:"etw_kernel_trace_minimum_buffers"`
EtwUserspaceTraceBufferSize uint32 `json:"etw_userspace_trace_buffer_size"`
EtwUserspaceTraceFlushTimer uint32 `json:"etw_userspace_trace_flush_timer"`
EtwUserspaceTraceMaximumBuffers uint32 `json:"etw_userspace_trace_maximum_buffers"`
EtwUserspaceTraceMinimumBuffers uint32 `json:"etw_userspace_trace_minimum_buffers"`
NtfsEventPublisherDebug bool `json:"ntfs_event_publisher_debug"`
WindowsEventChannels string `json:"windows_event_channels"`
UsnJournalReaderDebug bool `json:"usn_journal_reader_debug"`
@ -577,6 +585,7 @@ type OsqueryCommandLineFlagsMacOS struct {
type OsqueryCommandLineFlagsHidden struct {
AlsoLogToStderr bool `json:"alsologtostderr"`
EventsStreamingPlugin string `json:"events_streaming_plugin"`
IgnoreRegistryExceptions bool `json:"ignore_registry_exceptions"`
LogBufSecs int32 `json:"logbufsecs"`
LogDir string `json:"log_dir"`
MaxLogSize int32 `json:"max_log_size"`

7
server/fleet/agent_options_test.go
View File

@ -119,6 +119,13 @@ func TestValidateAgentOptions(t *testing.T) {
"yara_malloc_trim": true
}
}}`, true, `unknown field "yara_malloc_trim"`},
{
"option added in osquery 5.11.0", `{"config":{
"options": {
"keychain_access_cache": true
}
}}`, true, ``,
},
{"valid command-line flag", `{"command_line_flags":{
"alarm_timeout": 1
}}`, true, ``},

4
tools/osquery-agent-options/README.md
View File

@ -6,6 +6,8 @@ It prints the resulting Go code to stdout (the `osqueryOptions` and the `osquery
Note that the latest version of osquery should be installed for this tool to work properly (`osqueryd` and `osqueryi` must be in your $PATH).
The system that you use to run this on makes a difference. On 5.11.0, this flow was run on macOS.
## OS-specific flags
Some osquery flags are OS-specific and will not show up either with `osqueryd --help` or with the `osqueryi` query, depending on the OS you're running those on. In the code (in `server/fleet/agent_options.go`), those OS-specific flags are defined in the `OsqueryCommandLineFlags{Linux,MacOS,Windows}` structs, and the `osquery-agent-options` tool will automatically ignore from its generated struct any flag already defined as part of one of the OS-specific structs.
@ -15,7 +17,7 @@ It can be hard to even know what OS-specific flags exist, because of the fact th
```
# ag is the Silver Searcher, a grep alternative, but it should work with grep too, maybe
# with some small adjustments to the flags.
$ ag --nofilename -o 'FLAGS_[a-z0-9_]+' | sort | uniq | cut -d _ --complement -f 1
$ ag --nofilename -o 'FLAGS_[a-z0-9_]+' ./osquery/ ./plugins/ | sort | uniq | gcut -d _ --complement -f 1
```
This finds all flags defined in the osquery codebase (assuming all flags are built the same way). It is then possible to run a diff of this list with the list from the `osqueryi` query (e.g. `osqueryi --list 'select name from osquery_flags;'`), and the missing ones are _possibly/likely_ OS-specific. It's not an automatable task, as some judgement and manual code inspection may be necessary (some flags may be just in a test file, there may be some false-positives like `FLAGS_start` and `FLAGS_end` that are only sentinel values, the code line may be commented-out, etc.), but at least it gives a list of potential such flags.

39
tools/osquery-agent-options/osquery_5.5.1_codeflags.txt → tools/osquery-agent-options/osquery_5.11.0_codeflags.txt
View File

@ -29,14 +29,20 @@ audit_show_untracked_res_warnings
augeas_lenses
aws_access_key_id
aws_debug
aws_disable_imdsv1_fallback
aws_enable_proxy
aws_enforce_fips
aws_firehose_endpoint
aws_firehose_period
aws_firehose_region
aws_firehose_stream
aws_imdsv2_request_attempts
aws_imdsv2_request_interval
aws_kinesis_disable_log_status
aws_kinesis_endpoint
aws_kinesis_period
aws_kinesis_random_partition_key
aws_kinesis_region
aws_kinesis_stream
aws_profile_name
aws_proxy_host
@ -87,7 +93,6 @@ disable_endpointsecurity_fim
disable_enrollment
disable_events
disable_extensions
disable_forensic
disable_hash_cache
disable_logging
disable_memory
@ -111,23 +116,36 @@ enable_mouse_events
enable_ntfs_event_publisher
enable_numeric_monitoring
enable_powershell_events_subscriber
enable_process_etw_events
enable_syslog
enable_watchdog_debug
enable_windows_events_publisher
enable_windows_events_subscriber
enable_yara_string
end
enroll_always
enroll_secret_env
enroll_secret_path
enroll_tls_endpoint
ephemeral
es_fim_enable_open_events
es_fim_mute_path_literal
es_fim_mute_path_prefix
etw_kernel_trace_buffer_size
etw_kernel_trace_flush_timer
etw_kernel_trace_maximum_buffers
etw_kernel_trace_minimum_buffers
etw_userspace_trace_buffer_size
etw_userspace_trace_flush_timer
etw_userspace_trace_maximum_buffers
etw_userspace_trace_minimum_buffers
events_enforce_denylist
events_expiry
events_max
events_optimize
events_streaming_plugin
experiment_list
experiments_linuxevents_circular_buffer_size
experiments_linuxevents_perf_output_size
extension
extension_only
extensions_autoload
@ -136,10 +154,8 @@ extensions_interval
extensions_require
extensions_socket
extensions_timeout
filename
flag
flagfile
foo
force
groups_service_delay
groups_service_interval
@ -148,14 +164,18 @@ hash_cache_max
hash_delay
header
host_identifier
ignore_registry_exceptions
ignore_table_exceptions
install
json
json_pretty
keep_container_worker_open
keychain_access_cache
keychain_access_interval
line
list
logbufsecs
log_dir
logbufsecs
logger_event_type
logger_kafka_acks
logger_kafka_brokers
@ -184,8 +204,6 @@ logtostderr
lxd_socket
max_log_size
minloglevel
no
nono
ntfs_event_publisher_debug
nullvalue
numeric_monitoring_filesystem_path
@ -196,14 +214,11 @@ pack_delimiter
pack_refresh_interval
pidfile
planner
plist_iterations
port
profile
profile_delay
proxy_hostname
read_max
regex_max_size
registry_exceptions
rocksdb_background_flushes
rocksdb_buffer_blocks
rocksdb_merge_number
@ -220,7 +235,6 @@ separator
shell_only
shell_only_alias
specified_identifier
start
stderrthreshold
stop_logging_if_full_disk
syslog_events_expiry
@ -228,7 +242,6 @@ syslog_events_max
syslog_pipe_path
syslog_rate_limit
table_delay
table_exceptions
test_double
test_double_alias
test_int32
@ -269,7 +282,5 @@ watchdog_level
watchdog_max_delay
watchdog_memory_limit
watchdog_utilization_limit
whatever
windows_event_channels
xxx
yara_delay