empayre/fleet
14
0
Fork 0
mirror of https://github.com/empayre/fleet.git synced 2024-11-06 17:05:18 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
d2a7e38c85
fleet/docs/application/scheduling-queries.md
Mike Arpaia a947f39080 Rename Kolide to Fleet in the docs (#1554)
2017-09-21 16:51:26 -06:00

1.7 KiB
Raw Blame History

Scheduling Queries

As discussed in the Running Queries Documentation, you can use the Fleet application to create, execute, and save osquery queries. You can organize these queries into "Query Packs". To view all saved packs and perhaps create a new pack, select "Manage Packs" from the "Packs" sidebar. Packs are usually organized by the general class of instrumentation that you're trying to perform.

Manage Packs

If you select a pack from the list, you can quickly enable and disable the entire pack, or you can configure it further.

Manage Packs With Pack Selected

When you edit a pack, you can decide which targets you would like to execute the pack. This is a similar selection experience to the target selection process that you use to execute a new query.

Edit Pack Targets

To add queries to a pack, use the right-hand sidebar. You can take an existing scheduled query and add it to the pack. You must also define a few key details such as:

  • interval: how often should the query be executed?
  • logging: which osquery logging format would you like to use?
  • platform: which operating system platforms should execute this query?
  • minimum osquery version: if the table was introduced in a newer version of osquery, you may want to ensure that only sufficiently recent version of osquery execute the query.
  • shard: from 0 to 100, what percent of hosts should execute this query?

Schedule Query Sidebar

Once you've scheduled queries and curated your packs, you can read our guide to Working With Osquery Logs.