{"id":8335,"date":"2021-03-20T21:37:09","date_gmt":"2021-03-20T18:37:09","guid":{"rendered":"https:\/\/kifarunix.com\/?p=8335"},"modified":"2024-03-19T18:43:33","modified_gmt":"2024-03-19T15:43:33","slug":"enroll-osquery-hosts-on-fleet-manager","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/enroll-osquery-hosts-on-fleet-manager\/","title":{"rendered":"Enroll Osquery Hosts on Fleet Manager"},"content":{"rendered":"\n<p>In this tutorial, you will learn how to add or enroll Osquery hosts on Fleet manager. <em><a href=\"https:\/\/github.com\/fleetdm\/fleet\" target=\"_blank\" aria-label=\" (opens in a new tab)\" rel=\"noreferrer noopener\" class=\"rank-math-link\">Fleet<\/a> is the most widely used open source osquery manager. Deploying osquery with Fleet enables programmable live queries, streaming logs, and effective management of osquery across 50,000+ servers, containers, and laptops. It\u2019s especially useful for talking to multiple devices at the same time.<\/em>\u201c<\/p>\n\n\n\n<p>In our previous guide, we learnt how to install Osquery Fleet manager on Ubuntu 20.04\/22.04.<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-fleet-osquery-manager-on-ubuntu\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install Fleet Osquery Manager on Ubuntu 20.04\/Ubuntu 22.04<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Enrolling Osquery Hosts on Fleet Manager<\/h2>\n\n\n\n<p>There are different ways in which you can enroll hosts on osquery fleet manager;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"#enroll-hosts-using-fleet-osquery-package\">Via Fleet-Osquery Package<\/a><\/li>\n\n\n\n<li><a href=\"#enroll-hosts-using-osquery-package\">Using Osquery package<\/a><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"enroll-hosts-using-fleet-osquery-package\">Enroll Hosts into osqueryFleet Manager using Fleet-Osquery Package<\/h3>\n\n\n\n<p>This is an easy way to enroll hosts into Fleet Osquery manager.<\/p>\n\n\n\n<p>To begin with, install Fleetctl binary on the host;<\/p>\n\n\n\n<p>Download the Fleetctl binary archive for your specific system from <a href=\"https:\/\/github.com\/fleetdm\/fleet\/releases\" target=\"_blank\" rel=\"noreferrer noopener\">Fleet releases page<\/a>.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>wget https:\/\/github.com\/fleetdm\/fleet\/releases\/download\/fleet-v4.20.1\/fleetctl_v4.20.1_linux.zip -P \/tmp<\/code><\/pre>\n\n\n\n<p>Extract and place the <strong><code>fleetctl<\/code><\/strong> binary under <code>\/usr\/local\/bin<\/code>;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo unzip -j \/tmp\/fleetctl_v4.20.1_linux.zip \"fleetctl_v4.20.1_linux\/fleetctl\" -d \/usr\/local\/bin\/<\/code><\/pre>\n\n\n\n<p>next, navigate to Fleet Manager UI &gt; <strong>Hosts<\/strong> menu.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1917\" height=\"652\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/fleet-dashboard-1.png\" alt=\"\" class=\"wp-image-14172\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/fleet-dashboard-1.png?v=1664296017 1917w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/fleet-dashboard-1-768x261.png?v=1664296017 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/fleet-dashboard-1-1536x522.png?v=1664296017 1536w\" sizes=\"(max-width: 1917px) 100vw, 1917px\" \/><\/figure>\n\n\n\n<p>On <strong>Hosts<\/strong> menu, click <strong>Add hosts<\/strong>. Such a wizard opens up.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1877\" height=\"542\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/add-hosts-wizard.png\" alt=\"\" class=\"wp-image-14173\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/add-hosts-wizard.png?v=1664296160 1877w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/add-hosts-wizard-768x222.png?v=1664296160 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/add-hosts-wizard-1536x444.png?v=1664296160 1536w\" sizes=\"(max-width: 1877px) 100vw, 1877px\" \/><\/figure>\n\n\n\n<p>Depending on the Linux distribution, choose the correct package type from the available options.<\/p>\n\n\n\n<p>For example, on RHEL based System, choose Linux RPM option. If you are not running a desktop based system, uncheck <strong>Include Fleet Desktop<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1885\" height=\"548\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/fleet-package.png\" alt=\"\" class=\"wp-image-14174\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/fleet-package.png?v=1664296464 1885w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/fleet-package-768x223.png?v=1664296464 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/fleet-package-1536x447.png?v=1664296464 1536w\" sizes=\"(max-width: 1885px) 100vw, 1885px\" \/><\/figure>\n\n\n\n<p>Copy the command and execute on the host to generate Fleet Osquery agent installer (This generates an RPM binary);<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>fleetctl package --type=rpm --fleet-url=https:\/\/fleet.kifarunix-demo.com:8080 \\\n--enroll-secret=wFULaNuzE0wuo3\/z3jbZNV5ZD0Ku1ERJ<\/code><\/pre>\n\n\n\n<p>Sample output;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>Generating your osquery installer...\n\nSuccess! You generated an osquery installer at \/root\/fleet-osquery-1.1.0.x86_64.rpm\n\nTo add this device to Fleet, double-click to open your installer.\n\nTo add other devices to Fleet, distribute this installer using Chef, Ansible, Jamf, or Puppet. Learn how: https:\/\/fleetdm.com\/docs\/using-fleet\/adding-hosts\n<\/code><\/pre>\n\n\n\n<p>Execute the command below to install the osquery agent and enroll the host server into the Fleet.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo yum localinstall \/root\/fleet-osquery-1.1.0.x86_64.rpm<\/code><\/pre>\n\n\n\n<p>The package will create a systemd service called <strong><code>orbit<\/code><\/strong>. The configs file for this service are located under <strong><code>\/opt\/orbit\/<\/code><\/strong>.<\/p>\n\n\n\n<p>Before you can start the service, you can update the service flags with the Fleet server ssl certificate;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>echo \"--tls_server_certs=\/etc\/ssl\/certs\/fleet.cert\" &gt;&gt; \/opt\/orbit\/osquery.flags<\/code><\/pre>\n\n\n\n<p>Start and enable the orbit service to run on system boot;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl enable --now orbit<\/code><\/pre>\n\n\n\n<p>You can check the status;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl status orbit<\/code><\/pre>\n\n\n\n<p>Confirm host enrollment on Fleet Manager dashboard;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1907\" height=\"403\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/enroll-host-using-fleet-osquery-package.png\" alt=\"\" class=\"wp-image-14175\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/enroll-host-using-fleet-osquery-package.png?v=1664298889 1907w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/enroll-host-using-fleet-osquery-package-768x162.png?v=1664298889 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/enroll-host-using-fleet-osquery-package-1536x325.png?v=1664298889 1536w\" sizes=\"(max-width: 1907px) 100vw, 1907px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"enroll-hosts-using-osquery-package\">Enroll Hosts into Osquery Fleet Manager using Osquery Package<\/h3>\n\n\n\n<p>Before you can add hosts to Osquery  manager via this method, you need to have installed Osquery on the remote hosts.<\/p>\n\n\n\n<p>Below are some guides you can follow to install Osquery;<\/p>\n\n\n\n<p><a aria-label=\" (opens in a new tab)\" class=\"rank-math-link\" href=\"https:\/\/kifarunix.com\/install-osquery-on-ubuntu\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install Osquery on Ubuntu 20.04\/22.04<\/a><\/p>\n\n\n\n<p><a aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/install-osquery-on-debian-10-buster\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"rank-math-link\">Install Osquery on Debian 10 Buster<\/a><\/p>\n\n\n\n<p>After you have installed Osquery on the hosts, you can then proceed to enroll them on Fleet manager.<\/p>\n\n\n\n<p>You can begin by enrolling the Fleet Manager host server itself, if not already enrolled!<\/p>\n\n\n\n<p>To add or enroll a host, navigate to Hosts menu and click <strong>Add hosts<\/strong> and click <strong>Advanced<\/strong> from the wizards that opens up.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1824\" height=\"609\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/enroll-host-using-fleet-osquery-package-1.png\" alt=\"\" class=\"wp-image-14176\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/enroll-host-using-fleet-osquery-package-1.png?v=1664299387 1824w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/enroll-host-using-fleet-osquery-package-1-768x256.png?v=1664299387 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/enroll-host-using-fleet-osquery-package-1-1536x513.png?v=1664299387 1536w\" sizes=\"(max-width: 1824px) 100vw, 1824px\" \/><\/figure>\n\n\n\n<p>Next, click <strong>Plain osquery<\/strong> drop down menu button;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1813\" height=\"935\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/plain-osquery.png\" alt=\"\" class=\"wp-image-14177\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/plain-osquery.png?v=1664301023 1813w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/plain-osquery-768x396.png?v=1664301023 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/plain-osquery-1536x792.png?v=1664301023 1536w\" sizes=\"(max-width: 1813px) 100vw, 1813px\" \/><\/figure>\n\n\n\n<p>Download:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong><code>Enrollment secret<\/code><\/strong>: <em>Provide an active enroll secret to allow osquery to authenticate with the Fleet server.<\/em><\/li>\n\n\n\n<li><code><strong>Server certificate<\/strong><\/code>: <em>Provide the TLS certificate used by the Fleet server to enable secure connections from osquery<\/em>.<\/li>\n\n\n\n<li><a aria-label=\"Flag File (opens in a new tab)\" href=\"https:\/\/osquery.readthedocs.io\/en\/stable\/installation\/cli-flags\/#flagfile\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"rank-math-link\"><strong><code>Flag File<\/code><\/strong><\/a>: flags to control initialization, disable\/enable features, and select plugins.<\/li>\n<\/ul>\n\n\n\n<p>Once the files above are downloaded, copy them to the remote Osquery host.<\/p>\n\n\n\n<p>For example, in my setup, i have copied the files to home directory of specific user account on my Ubuntu 22.04 server;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ls ~\/ -1<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>flagfile.txt\nfleet.pem\nsecret.txt<\/code><\/pre>\n\n\n\n<p>Navigate to the directory where the files above are stored on the osquery host, in case it is my users home directory.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cd ~\/<\/code><\/pre>\n\n\n\n<p>Enroll Osquery host on Fleet manager by running the command below.<\/p>\n\n\n\n<p>(<strong>Before you can run the command below, ensure that the Osquery Fleet manager hostname that you generated the SSL certs from is resolvable from the host<\/strong>)<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>sudo osqueryd --flagfile=flagfile.txt --verbose<\/code><\/pre>\n\n\n\n<p>You will some system output.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>I0927 17:55:12.850069 55765 init.cpp:399] osquery initialized [version=5.5.1]\nI0927 17:55:12.850409 55765 extensions.cpp:453] Could not autoload extensions: Cannot open file for reading: \/etc\/osquery\/extensions.load\nI0927 17:55:12.850607 55765 dispatcher.cpp:78] Adding new service: WatcherRunner (0x55ac173b62b8) to thread: 140233538664000 (0x55ac173ae9b0) in process 55765\nI0927 17:55:12.851366 55766 watcher.cpp:680] osqueryd watcher (55765) executing worker (55767)\nI0927 17:55:12.856755 55767 init.cpp:396] osquery worker initialized [watcher=55765]\nI0927 17:55:12.856871 55767 dispatcher.cpp:78] Adding new service: WatcherWatcherRunner (0x55a4664d72b8) to thread: 140054961374784 (0x55a4664d05a0) in process 55767\nI0927 17:55:12.856969 55767 rocksdb.cpp:132] Opening RocksDB handle: \/var\/osquery\/osquery.db\nI0927 17:55:12.913545 55767 dispatcher.cpp:78] Adding new service: ExtensionWatcher (0x55a466620098) to thread: 140054420764224 (0x55a466564bf0) in process 55767\nI0927 17:55:12.913673 55767 dispatcher.cpp:78] Adding new service: ExtensionRunnerCore (0x55a46661f228) to thread: 140054429156928 (0x55a4664f2cb0) in process 55767\nI0927 17:55:12.913722 55896 interface.cpp:299] Extension manager service starting: \/var\/osquery\/osquery.em\nI0927 17:55:12.913940 55767 auto_constructed_tables.cpp:99] Removing stale ATC entries\nI0927 17:55:12.914314 55767 dispatcher.cpp:78] Adding new service: ConfigRefreshRunner (0x55a4665aaf38) to thread: 140054437549632 (0x55a466565e40) in process 55767\nI0927 17:55:12.914551 55767 tls.cpp:255] TLS\/HTTPS POST request to URI: https:\/\/fleet.kifarunix-demo.com:8080\/api\/v1\/osquery\/config\nI0927 17:55:13.929601 55767 tls_enroll.cpp:81] TLSEnrollPlugin requesting a node enroll key from: https:\/\/fleet.kifarunix-demo.com:8080\/api\/osquery\/enroll\nI0927 17:55:13.931106 55767 system.cpp:237] Using host identifier: 2121d69f-6e3d-4204-806a-8e214b47b7cb\nI0927 17:55:13.933938 55767 smbios_tables.cpp:105] Reading SMBIOS from sysfs DMI node\nI0927 17:55:13.936805 55767 smbios_tables.cpp:105] Reading SMBIOS from sysfs DMI node\nI0927 17:55:13.937805 55767 tls.cpp:255] TLS\/HTTPS POST request to URI: https:\/\/fleet.kifarunix-demo.com:8080\/api\/osquery\/enroll\nI0927 17:55:14.005929 55767 tls.cpp:255] TLS\/HTTPS POST request to URI: https:\/\/fleet.kifarunix-demo.com:8080\/api\/v1\/osquery\/config\nW0927 17:55:14.025341 55767 options.cpp:106] The CLI only flag --logger_plugin set via config file will be ignored, please use a flagfile or pass it to the process at startup\nI0927 17:55:14.047302 55767 smbios_tables.cpp:105] Reading SMBIOS from sysfs DMI node\nI0927 17:55:14.048081 55767 smbios_tables.cpp:105] Reading SMBIOS from sysfs DMI node\nI0927 17:55:14.048434 55767 dispatcher.cpp:78] Adding new service: TLSLogForwarder (0x55a46674b188) to thread: 140054840202816 (0x55a466764c90) in process 55767\nI0927 17:55:14.048753 55900 tls.cpp:255] TLS\/HTTPS POST request to URI: https:\/\/fleet.kifarunix-demo.com:8080\/api\/osquery\/log\nI0927 17:55:14.049381 55767 eventfactory.cpp:156] Event publisher not enabled: BPFEventPublisher: Publisher disabled via configuration\nI0927 17:55:14.049559 55767 eventfactory.cpp:156] Event publisher not enabled: auditeventpublisher: Publisher disabled via configuration\nI0927 17:55:14.049754 55767 eventfactory.cpp:156] Event publisher not enabled: inotify: Publisher disabled via configuration\nI0927 17:55:14.049918 55767 eventfactory.cpp:156] Event publisher not enabled: syslog: Publisher disabled via configuration\nI0927 17:55:14.050160 55767 events.cpp:70] Skipping subscriber: apparmor_events: Subscriber disabled via configuration\nI0927 17:55:14.050382 55767 events.cpp:70] Skipping subscriber: process_file_events: Subscriber disabled via configuration\nI0927 17:55:14.050551 55767 events.cpp:70] Skipping subscriber: seccomp_events: Seccomp subscriber disabled via configuration\nI0927 17:55:14.050714 55767 events.cpp:70] Skipping subscriber: selinux_events: Subscriber disabled via configuration\nI0927 17:55:14.050877 55767 events.cpp:70] Skipping subscriber: socket_events: Subscriber disabled via configuration\nI0927 17:55:14.051129 55901 eventfactory.cpp:390] Starting event publisher run loop: udev\nI0927 17:55:14.051138 55767 dispatcher.cpp:78] Adding new service: DistributedRunner (0x55a4666cc178) to thread: 140054815024704 (0x55a4666db480) in process 55767\nI0927 17:55:14.051409 55767 dispatcher.cpp:78] Adding new service: SchedulerRunner (0x55a466620718) to thread: 140054806632000 (0x55a4666f6a20) in process 55767\nI0927 17:55:14.051676 55902 tls.cpp:255] TLS\/HTTPS POST request to URI: https:\/\/fleet.kifarunix-demo.com:8080\/api\/v1\/osquery\/distributed\/read\nI0927 17:55:14.063175 55902 distributed.cpp:151] Executing distributed query: fleet_detail_query_disk_space_unix: \nSELECT (blocks_available * 100 \/ blocks) AS percent_disk_space_available,\n       round((blocks_available * blocks_size *10e-10),2) AS gigs_disk_space_available\n...\n<\/code><\/pre>\n\n\n\n<p>The host now communicates with the Osquery Fleet manager and it should be enrolled.<\/p>\n\n\n\n<p>Navigate to Osquery Fleet Manager and refresh the web interface. You should be able to see you host enrolled.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1906\" height=\"426\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/enrolled-hosts.png\" alt=\"\" class=\"wp-image-14178\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/enrolled-hosts.png?v=1664301432 1906w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/enrolled-hosts-768x172.png?v=1664301432 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/enrolled-hosts-1536x343.png?v=1664301432 1536w\" sizes=\"(max-width: 1906px) 100vw, 1906px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Running Osqueryd as a Service<\/h3>\n\n\n\n<p>To ensure a constant communication between the Osquery host and the Fleet manager, you need to run osqueryd as a service.<\/p>\n\n\n\n<p>Therefore, stop the standalone process initiated above by pressing <strong>Ctrl+c<\/strong>.<\/p>\n\n\n\n<p>Update the osqueryd service unit file configurations as follows.<\/p>\n\n\n\n<p>First of all, let us move the secret, the certificate and the flag files to <code><strong>\/etc\/osquery<\/strong><\/code> directory;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>sudo mv ~\/{flagfile.txt,fleet.pem,secret.txt} \/etc\/osquery<\/code><\/pre>\n\n\n\n<p>Next, update the path to FLAG_FILE environment variable in the osqueryd service defaults file, <code><strong>\/etc\/default\/osqueryd<\/strong><\/code>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>sudo vim \/etc\/default\/osqueryd<\/code><\/pre>\n\n\n\n<p>Check the highlighted line. Replace the path accordingly.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code><strong>FLAG_FILE=\"\/etc\/osquery\/flagfile.txt\"<\/strong>\nCONFIG_FILE=\"\/etc\/osquery\/osquery.conf\"\nLOCAL_PIDFILE=\"\/var\/osquery\/osqueryd.pidfile\"\nPIDFILE=\"\/var\/run\/osqueryd.pidfile\"<\/code><\/pre>\n\n\n\n<p>Next, edit the <strong><code>flagfile.txt<\/code><\/strong> file and update the path to Secret and Certificate file.<\/p>\n\n\n\n<pre id=\"block-354df65c-ec11-4395-bb6a-f54752908816\" class=\"wp-block-preformatted\">sudo vim \/etc\/osquery\/flagfile.txt<\/pre>\n\n\n\n<pre class=\"scroll-box\"><code># Server\n--tls_hostname=osquery.kifarunix-demo.com:8080\n--tls_server_certs=<strong>\/etc\/osquery\/fleet.pem<\/strong>\n\n# Enrollment\n--host_identifier=instance\n--enroll_secret_path=<strong>\/etc\/osquery\/secret.txt<\/strong>\n--enroll_tls_endpoint=\/api\/v1\/osquery\/enroll\n<\/code><\/pre>\n\n\n\n<p>Save and exit the file after making the changes.<\/p>\n\n\n\n<p>Reload systemd configurations;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>sudo systemctl daemon-reload<\/code><\/pre>\n\n\n\n<p>Restart osqueryd service<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>sudo systemctl restart osqueryd.service<\/code><\/pre>\n\n\n\n<p>Checking the status;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl status osqueryd<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\u25cf osqueryd.service - The osquery Daemon\n     Loaded: loaded (\/lib\/systemd\/system\/osqueryd.service; disabled; vendor preset: enabled)\n     Active: active (running) since Tue 2022-09-27 18:00:09 UTC; 5s ago\n    Process: 56011 ExecStartPre=\/bin\/sh -c if [ ! -f $FLAG_FILE ]; then touch $FLAG_FILE; fi (code=exited, status=0\/SUCCESS)\n    Process: 56012 ExecStartPre=\/bin\/sh -c if [ -f $LOCAL_PIDFILE ]; then mv $LOCAL_PIDFILE $PIDFILE; fi (code=exited, status=0\/SUCCESS)\n   Main PID: 56013 (osqueryd)\n      Tasks: 17 (limit: 2241)\n     Memory: 8.5M\n        CPU: 111ms\n     CGroup: \/system.slice\/osqueryd.service\n             \u251c\u250056013 \/opt\/osquery\/bin\/osqueryd --flagfile \/etc\/osquery\/flagfile.txt --config_path \/etc\/osquery\/osquery.conf\n             \u2514\u250056015 \/opt\/osquery\/bin\/osqueryd \"\" \"\" \"\" \"\" \"\" \"\" \"\" \"\" \"\" \"\" \"\" \"\" \"\" \"\" \"\" \"\" \"\" \"\" \"\" \"\" \"\" \"\" \"\" \"\" \"\" \"\" \"\" \"\" \"\" \"\" \"\" \"\" \"\" \"\" \"\" \"\" \"\" \"\" \"\" \"\" \"\" \"&gt;\n\nSep 27 18:00:09 jellyfish systemd[1]: Starting The osquery Daemon...\nSep 27 18:00:09 jellyfish systemd[1]: Started The osquery Daemon.\nSep 27 18:00:09 jellyfish osqueryd[56013]: osqueryd started [version=5.5.1]\n<\/code><\/pre>\n\n\n\n<p>Enable the service to run on system boot;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>sudo systemctl enable osqueryd.service<\/code><\/pre>\n\n\n\n<p>Also verify that osquery host status is online on the Fleet manager.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Querying Host from Fleet Osquery Manager<\/h3>\n\n\n\n<p>You can now query the host by clicking on the <strong>hostname<\/strong> of the host and then <strong>Query<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1906\" height=\"426\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/click-host-to-query.png\" alt=\"\" class=\"wp-image-14179\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/click-host-to-query.png?v=1664301808 1906w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/click-host-to-query-768x172.png?v=1664301808 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/click-host-to-query-1536x343.png?v=1664301808 1536w\" sizes=\"(max-width: 1906px) 100vw, 1906px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1878\" height=\"690\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/query-host.png\" alt=\"\" class=\"wp-image-14180\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/query-host.png?v=1664302100 1878w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/query-host-768x282.png?v=1664302100 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/query-host-1536x564.png?v=1664302100 1536w\" sizes=\"(max-width: 1878px) 100vw, 1878px\" \/><\/figure>\n\n\n\n<p>Click <strong>Create custom query<\/strong>.<\/p>\n\n\n\n<p><span style=\"color: initial;\">Enter the SQL query e.g (<\/span><code style=\"font-size: 15px; color: initial;\"><strong>select interface,address,mask from interface_addresses where interface NOT LIKE '%lo%';<\/strong><\/code><span style=\"color: initial;\">)<\/span><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1896\" height=\"849\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/new-query.png\" alt=\"\" class=\"wp-image-14181\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/new-query.png?v=1664302315 1896w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/new-query-768x344.png?v=1664302315 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/new-query-1536x688.png?v=1664302315 1536w\" sizes=\"(max-width: 1896px) 100vw, 1896px\" \/><\/figure>\n\n\n\n<p>You can either <strong>Execute<\/strong> or <strong>Save<\/strong> the query for future use if you want.<\/p>\n\n\n\n<p>If you choose to execute, you will be prompted to select target hosts. Select the hosts to run the query against.<\/p>\n\n\n\n<p>Run the query<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1907\" height=\"568\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/select-query-target-hosts.png\" alt=\"\" class=\"wp-image-14182\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/select-query-target-hosts.png?v=1664302573 1907w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/select-query-target-hosts-768x229.png?v=1664302573 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/select-query-target-hosts-1536x457.png?v=1664302573 1536w\" sizes=\"(max-width: 1907px) 100vw, 1907px\" \/><\/figure>\n\n\n\n<p>Sample results of our query;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1901\" height=\"791\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/osquery-query-output.png\" alt=\"\" class=\"wp-image-14183\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/osquery-query-output.png?v=1664302631 1901w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/osquery-query-output-768x320.png?v=1664302631 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/osquery-query-output-1536x639.png?v=1664302631 1536w\" sizes=\"(max-width: 1901px) 100vw, 1901px\" \/><\/figure>\n\n\n\n<p>Very nice, isn&#8217;t it?<\/p>\n\n\n\n<p>For other custom queries, choose a table you want to query from the right pane. You will see all the available options related to the respective table that can enable you to make specific queries;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1891\" height=\"731\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/custom-queries-osquery.png\" alt=\"\" class=\"wp-image-14184\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/custom-queries-osquery.png?v=1664303019 1891w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/custom-queries-osquery-768x297.png?v=1664303019 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/09\/custom-queries-osquery-1536x594.png?v=1664303019 1536w\" sizes=\"(max-width: 1891px) 100vw, 1891px\" \/><\/figure>\n\n\n\n<p>You can add more hosts to the Fleet for easy management and monitoring.<\/p>\n\n\n\n<p>Other Tutorials;<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-and-enroll-elastic-agents-to-fleet-manager-in-linux\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install and Enroll Elastic Agents to Fleet Manager in Linux<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this tutorial, you will learn how to add or enroll Osquery hosts on Fleet manager. Fleet is the most widely used open source osquery<\/p>\n","protected":false},"author":1,"featured_media":7987,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[72,121,1065],"tags":[3298,3302,3299,3301,3286,3300,3303,1068],"class_list":["post-8335","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-monitoring","category-howtos","category-osquery","tag-add-hosts-to-osquery-fleet-manager","tag-adding-hosts-to-fleet-manager","tag-enroll-hosts-on-osquery-fleet-manager","tag-enroll-osquery-hosts","tag-fleet-manager-osquery","tag-osquery-enrollment-secret","tag-osquery-flags-file","tag-osqueryd","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/8335"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=8335"}],"version-history":[{"count":10,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/8335\/revisions"}],"predecessor-version":[{"id":21892,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/8335\/revisions\/21892"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/7987"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=8335"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=8335"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=8335"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}