{"id":14199,"date":"2022-09-29T22:03:05","date_gmt":"2022-09-29T19:03:05","guid":{"rendered":"https:\/\/kifarunix.com\/?p=14199"},"modified":"2024-03-09T21:05:38","modified_gmt":"2024-03-09T18:05:38","slug":"enroll-windows-systems-into-osquery-fleet-manager","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/enroll-windows-systems-into-osquery-fleet-manager\/","title":{"rendered":"Enroll Windows Systems into Osquery Fleet Manager"},"content":{"rendered":"\n<p>Welcome to our guide on how to enroll Windows systems into Osquery Fleet Manager. <em><a href=\"https:\/\/github.com\/fleetdm\/fleet\" target=\"_blank\" rel=\"noreferrer noopener\">Fleet<\/a>&nbsp;is the most widely used open source osquery manager. Deploying osquery with Fleet enables programmable live queries, streaming logs, and effective management of osquery across 50,000+ servers, containers, and laptops. It\u2019s especially useful for talking to multiple devices at the same time.<\/em>\u201c<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Enroll Windows Systems into Osquery Fleet Manager<\/h2>\n\n\n\n<p>There are different ways in which you can enroll Windows systems on OSquery Fleet manager;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/kifarunix.com\/enroll-osquery-hosts-on-fleet-manager\/#enroll-hosts-using-fleet-osquery-package\">Via Fleet-Osquery Windows Package<\/a><\/li>\n\n\n\n<li><a href=\"#enroll-hosts-using-osquery-package\">Using Plain Osquery package<\/a><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"enroll-hosts-using-fleet-osquery-package\">Enroll Windows Systems using Fleet-Osquery Windows Package<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Install Fleetctl on Fleet Manager<\/h4>\n\n\n\n<p>To enroll Windows systems using Fleet-Osquery Package, ensure that Fleetctl command is installed on the Fleet Manager. Fleetctl will be used to generate Fleet-osquery MSI installer for Windows systems.<\/p>\n\n\n\n<p>If not already installed, you can install Fleetctl on the Fleet Manager as follows;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Download the Fleetctl binary archive for your specific system from&nbsp;<a href=\"https:\/\/github.com\/fleetdm\/fleet\/releases\" target=\"_blank\" rel=\"noreferrer noopener\">Fleet releases page<\/a>.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>wget https:\/\/github.com\/fleetdm\/fleet\/releases\/download\/fleet-v4.20.1\/fleetctl_v4.20.1_linux.zip -P \/tmp<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Extract and place the&nbsp;<strong><code>fleetctl<\/code><\/strong>&nbsp;binary under&nbsp;<code>\/usr\/local\/bin<\/code>;<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo unzip -j \/tmp\/fleetctl_v4.20.1_linux.zip \"fleetctl_v4.20.1_linux\/fleetctl\" -d \/usr\/local\/bin\/<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Install Docker on Fleet Manager Host<\/h4>\n\n\n\n<p>Install Docker on the Fleet manager host. This is required to generate osquery MSI installer.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>docker remove podman buildah<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>dnf install docker-ce<\/code><\/pre>\n\n\n\n<p>Once installed, start the docker service;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl start docker<\/code><\/pre>\n\n\n\n<p>Consult your Linux distribution documentation on how to install Docker.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Generate Fleet-osquery Windows Package<\/h4>\n\n\n\n<p>Once you have installed Fleetctl command on the Fleet Manager, navigate to Fleet Manager web UI &gt; <strong>Hosts &gt; Add hosts<\/strong> &gt; <strong>Windows<\/strong>.<\/p>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/add-windows-hosts-wizard.png\" class=\"td-modal-image\"><figure class=\"wp-block-image aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1886\" height=\"659\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/add-windows-hosts-wizard.png\" alt=\"Enroll Windows Systems into Osquery Fleet Manager\" class=\"wp-image-14210\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/add-windows-hosts-wizard.png?v=1664389169 1886w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/add-windows-hosts-wizard-768x268.png?v=1664389169 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/add-windows-hosts-wizard-1536x537.png?v=1664389169 1536w\" sizes=\"(max-width: 1886px) 100vw, 1886px\" \/><\/figure><\/a><\/div>\n\n\n\n<p>Copy the osquery installer package generating command on the wizard above and execute it on the Fleet Manager. The command will generate MSI installer.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>fleetctl package --type=msi --fleet-desktop \\\n--fleet-url=https:\/\/fleet.kifarunix-demo.com:8080 \\\n--enroll-secret=wFULaNuzE0wuo3\/z3jbZNV5ZD0Ku1ERJ<\/code><\/pre>\n\n\n\n<p>Sample command output;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>Generating your osquery installer...\nUnable to find image 'fleetdm\/wix:latest' locally\nlatest: Pulling from fleetdm\/wix\n7d63c13d9b9b: Pull complete \nd6b3bca85310: Pull complete \n26a41d401cc6: Pull complete \n1a28001a7315: Pull complete \n86ad66875459: Pull complete \n4f4fb700ef54: Pull complete \nDigest: sha256:3183e1a702efe74cef600b73c193605bed5aeff53f09cf858b86fe66efdd8e3e\nStatus: Downloaded newer image for fleetdm\/wix:latest\nWindows Installer XML Toolset Toolset Harvester version \nCopyright (c) .NET Foundation and contributors. All rights reserved.\n\nWindows Installer XML Toolset Compiler version \nCopyright (c) .NET Foundation and contributors. All rights reserved.\n\nheat.wxs\nmain.wxs\nWindows Installer XML Toolset Linker version \nCopyright (c) .NET Foundation and contributors. All rights reserved.\n\n\nSuccess! You generated an osquery installer at \/root\/fleet-osquery.msi\n\nTo add this device to Fleet, double-click to open your installer.\n\nTo add other devices to Fleet, distribute this installer using Chef, Ansible, Jamf, or Puppet. Learn how: https:\/\/fleetdm.com\/docs\/using-fleet\/adding-hosts\n<\/code><\/pre>\n\n\n\n<p>The command generates <strong><code>fleet-osquery.msi<\/code><\/strong> installer on the current working directory.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Install Fleet Osquery Package on Windows system<\/h4>\n\n\n\n<p>Copy the Fleet Osquery MSI installer to the Windows System and install it by double clicking on the MSI.<\/p>\n\n\n\n<p>You can as well execute the MSI on the powershell.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>C:\\Users\\kifarunix\\Downloads\\fleet-osquery.msi<\/code><\/pre>\n\n\n\n<p>The Fleet-osquery will be installed as Orbit program, <strong><code>C:\\Program Files\\Orbit<\/code><\/strong>;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1130\" height=\"637\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/fleet-osquery-orbit-program.png\" alt=\"\" class=\"wp-image-14211\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/fleet-osquery-orbit-program.png?v=1664391218 1130w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/fleet-osquery-orbit-program-768x433.png?v=1664391218 768w\" sizes=\"(max-width: 1130px) 100vw, 1130px\" \/><\/figure>\n\n\n\n<p> <\/p>\n\n\n\n<p>The installer will also create Fleet-osquery service;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Get-Service -Name \"fleet*\"<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>Status   Name               DisplayName\n------   ----               -----------\nRunning  Fleet osquery      Fleet osquery\n\n\nPS C:\\Windows\\system32&gt;<\/code><\/pre>\n\n\n\n<p>Before you can start the Fleet-osquery service, download the Fleet manager TLS certificate, place it under the <strong><code>C:\\ProgramData\\fleet.pem<\/code><\/strong><\/p>\n\n\n\n<p>Next, edit the <strong><code>osquery.flags<\/code><\/strong> file and add the path to the TLS certificate by adding the line below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>--tls_server_certs=C:\\ProgramData\\fleet.pem<\/code><\/pre>\n\n\n\n<p>Next, ensure that the Fleet server is reachable via the domain name;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ping fleet.kifarunix-demo.com<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>\nPinging fleet.kifarunix-demo.com &#91;192.168.57.48] with 32 bytes of data:\nReply from 192.168.57.48: bytes=32 time&lt;1ms TTL=64\nReply from 192.168.57.48: bytes=32 time&lt;1ms TTL=64\nReply from 192.168.57.48: bytes=32 time&lt;1ms TTL=64\nReply from 192.168.57.48: bytes=32 time=1ms TTL=64\n\nPing statistics for 192.168.57.48:\n    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),\nApproximate round trip times in milli-seconds:\n    Minimum = 0ms, Maximum = 1ms, Average = 0ms<\/code><\/pre>\n\n\n\n<p>Restart Fleet-osquery service;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Restart-Service 'Fleet osquery'<\/code><\/pre>\n\n\n\n<p>The agent should now show up on Fleet manager hosts page;<\/p>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/enroll-windows-host-fleet-osquery-manager-1.png\" class=\"td-modal-image\"><figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1896\" height=\"541\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/enroll-windows-host-fleet-osquery-manager-1.png\" alt=\"\" class=\"wp-image-14213\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/enroll-windows-host-fleet-osquery-manager-1.png?v=1664472737 1896w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/enroll-windows-host-fleet-osquery-manager-1-768x219.png?v=1664472737 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/enroll-windows-host-fleet-osquery-manager-1-1536x438.png?v=1664472737 1536w\" sizes=\"(max-width: 1896px) 100vw, 1896px\" \/><\/figure><\/a><\/div>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"enroll-hosts-using-osquery-package\">Enroll Windows Systems using Plain Osquery Package<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Install Osquery Package on Windows Systems<\/h4>\n\n\n\n<p>To enroll Windows systems using plain osquery package, you need to install Osquery package on Windows system first.<\/p>\n\n\n\n<p>Follow the guide below;<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-osquery-on-windows-system\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install Osquery on Windows system<\/a><\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Download Secret, Flags File and TLS Certificate from the Fleet Manager<\/h4>\n\n\n\n<p>Next, navigate to Fleet manager <strong>Hosts<\/strong> page &gt; <strong>Add hosts<\/strong> &gt; <strong>Advanced<\/strong>. Click <strong>Plain osquery<\/strong> drop down menu to expand the page.<\/p>\n\n\n\n<p>Click on the individual download link to download enroll secret, fleet certificate and flagfile.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1875\" height=\"923\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/download-secret-flag-tls-files.png\" alt=\"\" class=\"wp-image-14214\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/download-secret-flag-tls-files.png?v=1664476486 1875w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/download-secret-flag-tls-files-768x378.png?v=1664476486 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/download-secret-flag-tls-files-1536x756.png?v=1664476486 1536w\" sizes=\"(max-width: 1875px) 100vw, 1875px\" \/><\/figure><\/div>\n\n\n<p>We have downloaded these files to Windows host Downloads folder.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ls .\\Downloads\\<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>    Directory: C:\\Users\\kifarunix\\Downloads\n\n\nMode                 LastWriteTime         Length Name\n----                 -------------         ------ ----\n-a----         9\/29\/2022  11:38 AM            822 flagfile.txt\n-a----         9\/29\/2022  11:38 AM           1143 fleet.pem\n-a----         9\/29\/2022  10:49 AM       17453056 osquery-5.5.1.msi\n-a----         9\/29\/2022  11:38 AM             32 secret.txt<\/code><\/pre>\n\n\n\n<p>Move the secrets file and TLS certificate file to C:\\ProgramsData folder or any other suitable folder for you. <strong>Ensure you run Powershell as Administrator<\/strong>, if using powershell to move the files.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>mv .\\Downloads\\fleet.pem C:\\ProgramData\\<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>mv .\\Downloads\\secret.txt C:\\ProgramData\\<\/code><\/pre>\n\n\n\n<p>Replace the Osquery flagsfile with the flags file you downloaded from Fleet manager;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>rm 'C:\\Program Files\\osquery\\osquery.flags'<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>mv .\\Downloads\\flagfile.txt 'C:\\Program Files\\osquery\\osquery.flags'<\/code><\/pre>\n\n\n\n<p>Next, open the Flags file and update the path to TLS and Secrets files;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>notepad 'C:\\Program Files\\osquery\\osquery.flags'<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n# Server\n--tls_hostname=fleet.kifarunix-demo.com:8080\n--tls_server_certs=<strong>C:\\ProgramData\\fleet.pem<\/strong>\n# Enrollment\n--host_identifier=instance\n--enroll_secret_path=<strong>C:\\ProgramData\\secret.txt<\/strong>\n--enroll_tls_endpoint=\/api\/osquery\/enroll\n# Configuration\n--config_plugin=tls\n--config_tls_endpoint=\/api\/v1\/osquery\/config\n--config_refresh=10\n# Live query\n--disable_distributed=false\n--distributed_plugin=tls\n--distributed_interval=10\n--distributed_tls_max_attempts=3\n--distributed_tls_read_endpoint=\/api\/v1\/osquery\/distributed\/read\n--distributed_tls_write_endpoint=\/api\/v1\/osquery\/distributed\/write\n# Logging\n--logger_plugin=tls\n--logger_tls_endpoint=\/api\/v1\/osquery\/log\n--logger_tls_period=10\n# File carving\n--disable_carver=false\n--carver_start_endpoint=\/api\/v1\/osquery\/carve\/begin\n--carver_continue_endpoint=\/api\/v1\/osquery\/carve\/block\n--carver_block_size=2000000\n<\/code><\/pre>\n\n\n\n<p>Save the changes<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Restart Osquery Service to Enroll the Windows Host<\/h4>\n\n\n\n<p>Restart Osquery service;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Restart-Service osqueryd<\/code><\/pre>\n\n\n\n<p>You windows host should now be enrolled;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1905\" height=\"535\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/enroll-windows-host-fleet-osquery.png\" alt=\"\" class=\"wp-image-14216\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/enroll-windows-host-fleet-osquery.png?v=1664477886 1905w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/enroll-windows-host-fleet-osquery-768x216.png?v=1664477886 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/enroll-windows-host-fleet-osquery-1536x431.png?v=1664477886 1536w\" sizes=\"(max-width: 1905px) 100vw, 1905px\" \/><\/figure>\n\n\n\n<p>And that is it on how to enroll Windows systems in Osquery Fleet Manager.<\/p>\n\n\n\n<p>You can now run queries against your windows hosts;<\/p>\n\n\n\n<p>Sample output of the query;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>SELECT * from users;<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1890\" height=\"1535\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/fleet-osquery-query-windows.png\" alt=\"\" class=\"wp-image-14220\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/fleet-osquery-query-windows.png?v=1664479005 1890w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/fleet-osquery-query-windows-768x624.png?v=1664479005 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/fleet-osquery-query-windows-1536x1247.png?v=1664479005 1536w\" sizes=\"(max-width: 1890px) 100vw, 1890px\" \/><\/figure>\n\n\n\n<p>That marks the end of this guide. Explore osquery further.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Other Tutorials<\/h3>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-fleet-osquery-manager-on-oracle-linux\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install Fleet Osquery Manager on Oracle Linux<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/monitor-windows-systems-using-elastic-osquery-manager\/\" target=\"_blank\" rel=\"noreferrer noopener\">Monitor Windows Systems using Elastic Osquery Manager<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Welcome to our guide on how to enroll Windows systems into Osquery Fleet Manager. Fleet&nbsp;is the most widely used open source osquery manager. Deploying osquery<\/p>\n","protected":false},"author":1,"featured_media":14210,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[72,121,34],"tags":[5872,5870,5868,5853,5869,5871,1066],"class_list":["post-14199","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-monitoring","category-howtos","category-security","tag-enroll-windows-into-osquery-fleet","tag-enroll-windows-osquery-fleet","tag-enroll-windows-systems-into-osquery-fleet-manager","tag-fleet-manager","tag-fleet-manager-osquery-enroll-hosts","tag-install-osquery-and-enroll-windows","tag-osquery","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/14199"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=14199"}],"version-history":[{"count":7,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/14199\/revisions"}],"predecessor-version":[{"id":20610,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/14199\/revisions\/20610"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/14210"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=14199"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=14199"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=14199"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}