Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Overview

The Endpoint Agent Manager allows you to retrieve your endpoint data easily with a centralized configuration. However, each environment is different and has its own needs. The EAM has lots of configurable options that allow you to optimize it for each environment.

In order to configure the Endpoint Agent options in a centralized way, the EAM applies the configuration to the existing deployment via Ansible playbooks. Up to EA 1.2.1, the configuration to be deployed was in $HOME/devo-ea-deployer/playbooks/roles/files/deam-packs/options.yaml so every change to the configuration needed to be done there with osquery event flag naming convention. From EA 1.3 on, changes are centralized in the inventory file used for deployment following a different naming convention.

From EA 1.3.1 there are a set of agent configuration options that can only be set in the flags file which is deployed when the Endpoint Agent is installed using the package. These options can’t be set using the distributed option and can only be changed in the agent configuration in the running hosts.

If the changes to the centralized configuration are done via Ansible roles or via Web UI, the naming varies so this document intends to be a glossary of the parameter names that can be used when modifying it.

Via Ansible - 1.3.0 or beyond

In versions 1.3.0 or beyond, allowed options has been moved from the old options.yaml file to the inventory file. To add or change any option, open the inventory that has been used in your deployment and add the new flags to vars section.

Flags tables

Agent/OSQuery options

Name

Description

Type

Sample (with default value)

deam_fleet_config_agent_opts_events_expiry

Expiration age for evented data (in seconds), applied once the data is queried.

int

Code Block
all:
  vars:
    deam_fleet_config_agent_opts_events_expiry: 300

deam_fleet_config_agent_opts_events_max

Maximum number of events to buffer in the backing store while waiting for a query to "drain" them.

int

Code Block
all:
  vars:
    deam_fleet_config_agent_opts_events_max: 500000

deam_fleet_config_agent_opts_logger_min_status

Minimum level for status log recording. Use the following values: INFO = 0, WARNING = 1, ERROR = 2. To disable all status messages use 3 or higher.

int

Code Block
all:
  vars:
    deam_fleet_config_agent_opts_logger_min_status: 1

deam_fleet_config_agent_opts_distributed_interval

Amount of time that the EA will wait between periodically checking in with a distributed query server to see if there are any queries to execute.

int

Code Block
all:
  vars:
    deam_fleet_config_agent_opts_distributed_interval: 60

deam_fleet_config_agent_opts_config_refresh

Only in 1.3.0. Configuration refresh interval in seconds.

int

Code Block
all:
  vars:
    deam_fleet_config_agent_opts_config_refresh: 900

deam_fleet_config_agent_opts_distributed_tls_max_attempts

Total number of attempts that will be made to the remote distributed query server if a request fails when using the tls distributed plugin.

int

Code Block
all:
  vars:
    deam_fleet_config_agent_opts_distributed_tls_max_attempts: 3

deam_fleet_config_agent_opts_disable_distributed

Disable distributed queries functionality.

boolean

Code Block
all:
  vars:
    deam_fleet_config_agent_opts_disable_distributed: false

deam_fleet_config_agent_opts_logger_tls_period

Number of seconds before checking for buffered logs. Results are sent to the TLS endpoint in intervals, not on demand.

int

Code Block
all:
  vars:
    deam_fleet_config_agent_opts_logger_tls_period: 30

deam_fleet_config_agent_opts_logger_tls_compress

Enable or disable GZIP compression for request bodies when sending.

boolean

Code Block
all:
  vars:
    deam_fleet_config_agent_opts_logger_tls_compress: true

deam_fleet_config_agent_opts_schedule_splay_percent

Percent to splay config times. The query schedule often includes several queries with the same interval.

int

Code Block
all:
  vars:
    deam_fleet_config_agent_opts_schedule_splay_percent: 10

deam_fleet_config_agent_opts_tls_session_reuse

Only in 1.3.0. Reuse TLS session sockets.

boolean

Code Block
all:
  vars:
    deam_fleet_config_agent_opts_tls_session_reuse: false

deam_fleet_config_agent_opts_win_windows_event_channels

List of Windows Event Log channels for osquery to subscribe to.

string

Code Block
all:
  vars:
    deam_fleet_config_agent_opts_win_windows_event_channels: System,Application,Setup,Security,Microsoft-Windows-PowerShell/Operational,ForwardedEvents

Name

Description

Type

Sample (with default values)

deam_fleet_config_agent_opts

General options related to the way the EA Client behaves for all endpoints. You can add flags supported by osquery in this section.

dict

Code Block
all:
  vars:
    deam_fleet_config_agent_opts: {}

deam_fleet_config_agent_opts_nix

Options related to the way the EA Client behaves for Linux endpoints. You can add flags supported by osquery in this section.
Overrides general ones.

dict

Code Block
all:
  vars:
    deam_fleet_config_agent_opts_nix: {}

deam_fleet_config_agent_opts_win

Options related to the way the EA Client behaves for Windows endpoints. You can add flags supported by osquery in this section.
Overrides general ones.

dict

Code Block
all:
  vars:
    deam_fleet_config_agent_opts_win: {}

deam_fleet_config_agent_opts_darwin

Options related to the way the EA Client behaves for macOS endpoints. You can add flags supported by osquery in this section.
Overrides general ones.

dict

Code Block
all:
  vars:
    deam_fleet_config_agent_opts_darwin: {}

EA supported options. Keep in mind that following samples are not necessarily the default values.

events_expiry

Expiration age for evented data (in seconds), applied once the data is queried.
Same as deam_fleet_config_agent_opts_events_expiry.

int

Code Block
all:
  vars:
    deam_fleet_config_agent_opts:
      events_expiry: 300
      events_max: 500000
      logger_min_status: 1
      distributed_interval: 60
      config_refresh: 900
      distributed_tls_max_attempts: 3
      disable_distributed: false
      logger_tls_period: 30
      logger_tls_compress: true
      schedule_splay_percent: 10
      tls_session_reuse: false
      distributed_plugin: tls
      distributed_tls_read_endpoint: /api/v1/osquery/distributed/read
      distributed_tls_write_endpoint: /api/v1/osquery/distributed/write
      logger_plugin: tls
      logger_snapshot_event_type: true
      logger_tls_endpoint: /api/v1/osquery/log
      pack_delimiter: /
    deam_fleet_config_agent_opts_nix:
      audit_allow_config: true
      audit_allow_sockets: true
      audit_persist: true
      disable_audit: false
      enable_syslog: true
    deam_fleet_config_agent_opts_win:
      windows_event_channels: System,Application,Setup,Security,Microsoft-Windows-PowerShell/Operational,ForwardedEvents
    deam_fleet_config_agent_opts_darwin:
      audit_allow_config: true
      audit_allow_sockets: true
      disable_audit: false

events_max

Maximum number of events to buffer in the backing store while waiting for a query to "drain" them.
Same as deam_fleet_config_agent_opts_events_max.

int

logger_min_status

Minimum level for status log recording. Use the following values: INFO = 0, WARNING = 1, ERROR = 2. To disable all status messages use 3 or higher.
Same as deam_fleet_config_agent_opts_logger_min_status.

int

distributed_interval

Amount of time that the EA will wait between periodically checking in with a distributed query server to see if there are any queries to execute.
Same as deam_fleet_config_agent_opts_distributed_interval.

int

config_refresh

Only in 1.3.0. Configuration refresh interval in seconds.
Same as deam_fleet_config_agent_opts_config_refresh.

int

distributed_tls_max_attempts

Total number of attempts that will be made to the remote distributed query server if a request fails when using the tls distributed plugin.
Same as deam_fleet_config_agent_opts_distributed_tls_max_attempts.

int

disable_distributed

Disable distributed queries functionality.
Same as deam_fleet_config_agent_opts_disable_distributed.

boolean

logger_tls_period

Number of seconds before checking for buffered logs. Results are sent to the TLS endpoint in intervals, not on demand.
Same as deam_fleet_config_agent_opts_logger_tls_period.

int

logger_tls_compress

Enable or disable GZIP compression for request bodies when sending.

Same as deam_fleet_config_agent_opts_logger_tls_compress.

boolean

schedule_splay_percent

Percent to splay config times. The query schedule often includes several queries with the same interval.
Same as deam_fleet_config_agent_opts_schedule_splay_percent

int

tls_session_reuse

Only in 1.3.0.Reuse TLS session sockets.

Same as deam_fleet_config_agent_opts_tls_session_reuse.

boolean

distributed_plugin

List of Windows Event Log channels for osquery to subscribe to.

 

distributed_tls_read_endpoint

The URI path which will be used, in conjunction with tls_hostname, to create the remote URI for retrieving distributed queries when using the tls distributed plugin.

string

distributed_tls_write_endpoint

The URI path which will be used, in conjunction with tls_hostname, to create the remote URI for submitting the results of distributed queries when using the tls distributed plugin.

string

logger_plugin

Only in 1.3.0. Logger plugin name.
Accepted values: filesystem, tls, syslog

fixed

logger_snapshot_event_type

Log scheduled snapshot results as events, similar to differential results.

boolean

logger_tls_endpoint

The tls endpoint path when using the tls logger plugin.

string

pack_delimiter

Control the delimiter between pack name and pack query names.

string

audit_allow_config

Allows or prevents osquery from making changes to the audit configuration settings.
Only for Linux and macOS endpoints.

boolean

audit_allow_sockets

Allow the audit publisher to install socket-related rules.
Only for Linux and macOS endpoints.

boolean

audit_persist

Instructs osquery to regain the audit netlink socket if another process also accesses it.
Only for Linux endpoints.

boolean

disable_audit

Allow or prevents osquery from opening the kernel audit's netlink socket.
Only for Linux and macOS endpoints.

boolean

enable_syslog

Turn on the syslog ingestion event publisher.
Only for Linux endpoints.

boolean

windows_event_channels

List of Windows Event Log channels for osquery to subscribe to. Same as deam_fleet_config_agent_opts_win_windows_event_channels.
Only for Windows endpoints.

string

Agent/OSQuery Flags (agent configuration file). Only from 1.3.1

Name

Description

Type

Sample (with default value)

dea_osq_config_refresh

Configuration refresh interval in seconds.

int

Code Block
dea_osq_config_refresh: 900

dea_osq_tls_session_reuse

Enable ("true") the reuse of the session between agent and manager.
Be careful when enabling this feature as its performance might be affected when session is reused.
In most cases this feature should be disabled ("false").

string

Code Block
dea_osq_tls_session_reuse: "false"

dea_osq_logger_plugin

Logger plugin for results of scheduled queries.
Default value must not be changedin common scenarios.

string

Code Block
dea_osq_logger_plugin: tls

dea_osq_distributed_plugin

Plugin to look for new distributed queries.
Default value must not be changed in common scenarios.

string

Code Block
dea_osq_distributed_plugin: tls

dea_osq_config_plugin: tls

Plugin to load distributed configuration.
Default value must not be changed in common scenarios.

string

Code Block
dea_osq_config_plugin: tls
Info

“[]” and “{}” values are used in yaml to declare the value of a key as list or dict when it is empty.

Extension options

Name

Description

Type

Sample (with default values)

deam_fleet_config_devoext_fetchfiles_default_tag

Default destination in Devo for all ingested files. Can be overriden in the patterns options.

string

Code Block
all:
  vars:    
    deam_fleet_config_devoext_fetchfiles_default_tag: box.devo_ea.files

deam_fleet_config_devoext_fetchfiles_buffer_size

Total size in bytes per processed chunk.

int

Code Block
all:
  vars:    
    deam_fleet_config_devoext_fetchfiles_buffer_size: 131072

deam_fleet_config_devoext_fetchfiles_buffer_max_number_of_parts_per_file

Max number of processed events per chunk.

int

Code Block
all:
  vars:    
    deam_fleet_config_devoext_fetchfiles_buffer_max_number_of_parts_per_file: 2000

deam_fleet_config_devoext_fetchfiles_config_refresh

Specifies the interval in which the agent will look for updates of the configuration of the Files Fetcher extension in the EAM. Can be expressed in seconds (s), minutes (m) and hours (h).

Duration

Code Block
all:
  vars:    
    deam_fleet_config_devoext_fetchfiles_config_refresh: 10m

Name

Description

Type

Sample (with default values)

deam_fleet_config_devoext_fetchfiles_watchdog_opts

FetchFiles watchdog general options (for all endpoints regardless of OS).

dict

Code Block
all:
  vars:
    deam_fleet_config_devoext_fetchfiles_watchdog_opts: {}

deam_fleet_config_devoext_fetchfiles_watchdog_nix

FetchFiles watchdog options, only for Linux endpoints. This flag overrides the general one.

dict

Code Block
all:
  vars:
    deam_fleet_config_devoext_fetchfiles_watchdog_nix: {}

deam_fleet_config_devoext_fetchfiles_watchdog_win

FetchFiles watchdog options, only for Windows endpoints.

dict

Code Block
all:
  vars:
    deam_fleet_config_devoext_fetchfiles_watchdog_win:
      allow_empty_paths: true

deam_fleet_config_devoext_fetchfiles_watchdog_darwin

FetchFiles watchdog options, only for macOS endpoints.

dict

Code Block
all:
  vars:
    deam_fleet_config_devoext_fetchfiles_watchdog_darwin: {}

FetchFiles watchdog supported options. Keep in mind that the following samples are not necessarily the default values.

max_concurrent_files

Number of parallel file processing. If this file is less than 2, no kind of file processing in parallel is used.

int

Code Block
all:
  vars:
    deam_fleet_config_devoext_fetchfiles_watchdog_nix:
      max_concurrent_files: 100
      scan_each: 1m
      max_file_part_size: 1048576
      allow_empty_paths: false

scan_each

Defines the minimum interval between SQL queries to run fresh scans for new files.

duration

max_file_part_size

Max number of processed events per chunk.

int

allow_empty_paths

Allow empty paths.

boolean

Name

Description

Type

Sample (with default values)

deam_fleet_config_devoext_fetchfiles_paths_nix

Definition of files scanning paths along with their respective scanning options for Linux endpoints.

dict

Code Block
all:
  vars:   
    deam_fleet_config_devoext_fetchfiles_paths_nix:
      - pattern: /var/log/**/*log

deam_fleet_config_devoext_fetchfiles_paths_win

Definition of files scanning paths along with their respective scanning options for Windows endpoints.

dict

Code Block
all:
  vars:   
    deam_fleet_config_devoext_fetchfiles_paths_win: []

deam_fleet_config_devoext_fetchfiles_paths_darwin

Definition of files scanning paths along with their respective scanning options for macOS endpoints.

dict

Code Block
all:
  vars:   
    deam_fleet_config_devoext_fetchfiles_paths_darwin:
      - pattern: /var/log/system.log

FetchFiles pattern level supported options. Keep in mind that following samples are not necessarily the default values.

tag

Destination in Devo for all ingested files.

string

Code Block
all:
  vars:
    deam_fleet_config_devoext_fetchfiles_paths_win:
      - pattern: /var/log/httpd/access_log
        tag: web.apache.access-combined.pro.ltdemo.www1
        payload_format: c:event
      - pattern: C:\flog\logs\xml\notes_xml?.log
        content_separator: <note>
        file_processor: multiline
      - pattern: C:\flog\logs\apache\**\error*log
        threshold_file_modification_time: -5s

payload_format

Allows you to remove the JSON wrapper around each event sent to Devo so the events are sent “as is”.
Accepted values: c:event

fixed

content_separator

Defines an event delimiter string. By default, events are processed as full line events.

string

file_processor

Allows you to set a multiline events processing in conjunction with the content_separator string. Default value is fixed (single-line events).
Accepted values: fixed, multiline

fixed

threshold_file_modification_time

Negative number in duration format that represents the time the File Fetcher needs to consider that an event is fully written.

Duration

Decorator options

Name

Description

Type

Sample (with default values)

deam_fleet_config_extra_decorators

Run these decorators (queries) when the configuration loads (or is reloaded).
Applies to all endpoints regardless of OS.

list

Code Block
all:
  vars:
    deam_fleet_config_extra_decorators:
      - SELECT uuid AS host_uuid FROM system_info;
      - SELECT hostname AS hostname FROM system_info;
      - SELECT address as hostIp FROM interface_details id join interface_addresses ia on ia.interface = id.interface where length(mac) > 0 and ia.address LIKE '%.%' order by (ibytes + obytes) desc LIMIT 1;
      - SELECT value AS tls_hostname FROM osquery_flags WHERE name = 'tls_hostname';
      - SELECT platform AS platform FROM os_version;
      - SELECT filename as agent_tags FROM file WHERE path like "/etc/osquery/agent-tags/%" or path like "/private/var/osquery/agent-tags/%" or path like "C:\Program Files\osquery\agent-tags\%" LIMIT 1;

deam_fleet_config_extra_decorators_nix

Run these decorators (queries) when the configuration loads (or is reloaded).
Applies only to Linux endpoints overriding the general one.

list

Code Block
all:
  vars:
    deam_fleet_config_extra_decorators_nix: []

deam_fleet_config_extra_decorators_win

Run these decorators (queries) when the configuration loads (or is reloaded).
Applies only to Windows endpoints overriding the general one.

list

Code Block
all:
  vars:
    deam_fleet_config_extra_decorators_win: []

deam_fleet_config_extra_decorators_darwin

Run these decorators (queries) when the configuration loads (or is reloaded).
Applies only to macOS endpoints overriding the general one.

list

Code Block
all:
  vars:
    deam_fleet_config_extra_decorators_darwin: []

deam_fleet_config_extra_decorators_always

Run these decorators (queries) before each query in the schedule.
Applies to all endpoints regardless of OS.

list

Code Block
all:
  vars:
    deam_fleet_config_extra_decorators_always: []

deam_fleet_config_extra_decorators_always_nix

Run these decorators (queries) before each query in the schedule.
Applies only to Linux endpoints overriding the general one.

list

Code Block
all:
  vars:
    deam_fleet_config_extra_decorators_always_nix: []

deam_fleet_config_extra_decorators_always_win

Run these decorators (queries) before each query in the schedule.
Applies only to Windows endpoints overriding the general one.

list

Code Block
all:
  vars:
    deam_fleet_config_extra_decorators_always_win: []

deam_fleet_config_extra_decorators_always_darwin

Run these decorators (queries) before each query in the schedule.
Applies only to macOS endpoints overriding the general one.

list

Code Block
all:
  vars:
    deam_fleet_config_extra_decorators_always_darwin: []

deam_fleet_config_extra_decorators_interval

Special key that defines a map of interval times (with duration as key and a list of queries as value).
Applies to all endpoints regardless of OS.

dict

Code Block
all:
  vars:
    deam_fleet_config_extra_decorators_interval: {}

deam_fleet_config_extra_decorators_interval_nix

Special key that defines a map of interval times (with duration as key and a list of queries as value).
Applies only to Linux endpoints overriding the general one.

dict

Code Block
all:
  vars:
    deam_fleet_config_extra_decorators_interval_nix: {}

deam_fleet_config_extra_decorators_interval_win

Special key that defines a map of interval times (with duration as key and a list of queries as value).
Applies only to Windows endpoints overriding the general one.

dict

Code Block
all:
  vars:
    deam_fleet_config_extra_decorators_interval_win: {}

deam_fleet_config_extra_decorators_interval_darwin

Special key that defines a map of interval times (with duration as key and a list of queries as value).
Applies only to macOS endpoints overriding the general one.

dict

Code Block
all:
  vars:
    deam_fleet_config_extra_decorators_interval_darwin: {}

deam_fleet_config_extra_decorators_interval sample without default values

Code Block
all:
  vars:
    deam_fleet_config_extra_decorators_interval:
      3600:
        - SELECT uuid AS host_uuid FROM system_info;
        - SELECT total_seconds AS uptime FROM uptime;
Info

“[]” and “{}” values are used in yaml to declare the value of a key as list or dict when it is empty.

Via Web UI (all versions) and via Ansible (EA 1.2.1 or previous)

Older versions like 1.2.1 or previous had a different way to add or change these options. In the uncompressed EAM directory, you need to modify the $HOME/devo-ea-deployer/playbooks/roles/deam-packs/files/devo-packs/options.yaml file and add or modify the flags in the corresponding sections.

Linux

Image Removed

  

Image Added

Windows

Image Removed

  

Image Added

macOS

Image Removed

  

Image Added

Web UI changes keep names and keys, so if you want to make the changes non-persistent in the browser, you need to use these flags too.

Linux

Image Removed

Image Added

 

Windows

Image Removed

Image Added

 

macOS

Image Removed

 Image Added

Flags table

Agent/OSQuery options

Name

Description

Type

Sample (with default values)

events_expiry

Expiration age for evented data (in seconds), applied once the data is queried.

int

Code Block
apiVersion: v1
kind: config
spec:
  common:
    config:
      options:
        events_expiry: 300
        events_max: 500000
        logger_min_status: 1
        distributed_interval: 60
        config_refresh: 900
        distributed_tls_max_attempts: 3
        disable_distributed: false
        logger_tls_period: 30
        logger_tls_compress: true
        schedule_splay_percent: 10
        tls_session_reuse: false
        distributed_plugin: tls
        distributed_tls_read_endpoint: /api/v1/osquery/distributed/read
        distributed_tls_write_endpoint: /api/v1/osquery/distributed/write
        logger_plugin: tls
        logger_snapshot_event_type: true
        logger_tls_endpoint: /api/v1/osquery/log
        pack_delimiter: /
        audit_allow_config: true
        audit_allow_sockets: true
        audit_persist: true
        disable_audit: false
        enable_syslog: true
    overrides:
      platforms:
        windows:
          options:
            windows_event_channels: System,Application,Setup,Security,Microsoft-Windows-PowerShell/Operational,ForwardedEvents
        darwin:
          options:
            audit_allow_config: true
            audit_allow_sockets: true
            disable_audit: false

events_max

Maximum number of events to buffer in the backing store while waiting for a query to "drain" them.

int

logger_min_status

Minimum level for status log recording. Use the following values: INFO = 0, WARNING = 1, ERROR = 2. To disable all status messages use 3 or higher.

int

distributed_interval

Amount of time that the EA waits before periodically checking in with a distributed query server to see if there are any queries to execute.

int

config_refresh

Configuration refresh interval in seconds.

int

distributed_tls_max_attempts

Total number of attempts that are made to the remote distributed query server if a request fails when using the tls distributed plugin.

int

disable_distributed

Disable distributed queries functionality.

boolean

logger_tls_period

Number of seconds before checking for buffered logs. Results are sent to the TLS endpoint in intervals, not on demand.

int

logger_tls_compress

Enable or disable GZIP compression for request bodies when sending.

boolean

schedule_splay_percent

Percent to splay config times. The query schedule often includes several queries with the same interval.

int

tls_session_reuse

Reuse TLS session sockets.

boolean

distributed_plugin

List of Windows Event Log channels for osquery to subscribe to.

 

distributed_tls_read_endpoint

The URI path which will be used, in conjunction with tls_hostname, to create the remote URI for retrieving distributed queries when using the tls distributed plugin.

string

distributed_tls_write_endpoint

The URI path which will be used, in conjunction with tls_hostname, to create the remote URI for submitting the results of distributed queries when using the tls distributed plugin.

string

logger_plugin

Logger plugin name.
Accepted values: filesystem, tls, syslog

fixed

logger_snapshot_event_type

Log scheduled snapshot results as events, similar to differential results.

boolean

logger_tls_endpoint

The tls endpoint path when using the tls logger plugin.

string

pack_delimiter

Control the delimiter between pack name and pack query names.

string

audit_allow_config

Allows or prevents osquery from making changes to the audit configuration settings.
Only for Linux and macOS endpoints.

boolean

audit_allow_sockets

Allow the audit publisher to install socket-related rules.
Only for Linux and macOS endpoints.

boolean

audit_persist

Instructs osquery to regain the audit netlink socket if another process also accesses it.
Only for Linux endpoints.

boolean

disable_audit

Allows or prevents osquery from opening the kernel audit's netlink socket.
Only for Linux and macOS endpoints.

boolean

enable_syslog

Turn on the syslog ingestion event publisher.
Only for Linux endpoints.

boolean

windows_event_channels

List of Windows Event Log channels for osquery to subscribe to. Same as deam_fleet_config_agent_opts_win_windows_event_channels.
Only for Windows endpoints.

string

Extension options

Name

Description

Type

Sample (with default value)

watchdog → tag

General destination in Devo for all ingested files. Applies to all patterns.

string

Code Block
apiVersion: v1
kind: options
spec:
  common: 
    config:
      devo_extensions:
        fetchfiles:
          config_refresh: 10m
          watchdog:
            tag: box.devo_ea.files
            file_buffer_size: 131072
            max_number_of_parts_per_file: 2000
            max_concurrent_files: 100
            scan_each: 1m
            max_file_part_size: 1048576
            allow_empty_paths: false
            paths:
              - pattern: /var/log/syslog
                tag: my.app.custom.tag
              - pattern: /var/log/system.log
                payload_format: c:event
              - pattern: C:\Program Files (x86)\Apache Software Foundation\Tomcat*\logs\*
                content_separator: '^_!'
                file_processor: multiline
              - pattern: C:\Program Files\Apache Software Foundation\Tomcat*\logs\*
                threshold_file_modification_time: -5s

 

watchdog → file_buffer_size

Total size in bytes per processed chunk.

int

watchdog → max_number_of_parts_per_file

Max number of processed events per chunk.

int

config_refresh

Specifies the interval in which the agent looks for updates of the configuration of the FilesFetcher extension in the EAM. Can be expressed in seconds (s), minutes (m) and hours (h).

duration

watchdog → max_concurrent_files

Number of parallel file processing. If this file is less than 2, no kind of file processing in parallel is used.

int

watchdog → scan_each

Minimum period between SQL queries to run new scan for new files.

duration

watchdog → max_file_part_size

Max number of processed events per chunk.

int

watchdog → allow_empty_paths

Allow empty paths.

boolean

pattern → tag

Destination in Devo for all ingested files. Overrides default one.

string

pattern → payload_format

Allows the user to remove the JSON wrapper around each event sent to Devo so the events are sent “as is”.
Accepted values: c:event

fixed

pattern → content_separator

Defines an event delimiter string. By default, events are processed as full line events.

string

pattern → file_processor

Allows setting a multiline events processing in conjunction with the content_separator string. Default value is fixed (single-line events).
Accepted values: fixed, multiline

fixed

pattern → threshold_file_modification_time

Negative number in duration format that represents the time the File Fetcher needs to consider that an event is fully written.

Duration

Decorator options

Name

Description

Type

Sample (with default value)

load

Run these decorators (queries) when the configuration loads (or is reloaded).

list

Code Block
apiVersion: v1
kind: options
spec:
  common: 
    config:
      decorators: 
        load:
          - SELECT uuid AS host_uuid FROM system_info;
          - SELECT hostname AS hostname FROM system_info;
        always:
          - SELECT address as hostIp FROM interface_details id join interface_addresses ia on ia.interface = id.interface where length(mac) > 0 and ia.address LIKE '%.%' order by (ibytes + obytes) desc LIMIT 1;
          - SELECT value AS tls_hostname FROM osquery_flags WHERE name = 'tls_hostname';
        interval:
          3600:
            - SELECT platform AS platform FROM os_version;
            - SELECT filename as agent_tags FROM file WHERE path like "/etc/osquery/agent-tags/%" or path like "/private/var/osquery/agent-tags/%" or path like "C:\Program Files\osquery\agent-tags\%" LIMIT 1;

always

Run these decorators (queries) before each query in the schedule.

list

interval

Special key that defines a map of interval times (with duration as key and a list of queries as value).

dict