The Endpoint Agent Manager allows you to retrieve your endpoint data easily with a centralized configuration. However, each environment is different and has its own needs. The EAM has lots of configurable options that allow you to optimize it for each environment.
In order to configure the Endpoint Agent options in a centralized way, the EAM applies the configuration to the existing deployment via Ansible playbooks. Up to EA 1.2.1, the configuration to be deployed was in $HOME/devo-ea-deployer/playbooks/roles/files/deam-packs/options.yaml so every change to the configuration needed to be done there with osquery event flag naming convention. From EA 1.3 on, changes are centralized in the inventory file used for deployment following a different naming convention.
From EA 1.3.1 there are a set of agent configuration options that can only be set in the flags file which is deployed when the Endpoint Agent is installed using the package. These options can’t be set using the distributed option and can only be changed in the agent configuration in the running hosts.
If the changes to the centralized configuration are done via Ansible roles or via Web UI, the naming varies so this document intends to be a glossary of the parameter names that can be used when modifying it.
Via Ansible - 1.3.0 or beyond
In versions 1.3.0 or beyond, allowed options has been moved from the old options.yaml file to the inventory file. To add or change any option, open the inventory that has been used in your deployment and add the new flags to vars section.
Flags tables
Agent/OSQuery options
Name | Description | Type | Sample (with default value) |
|---|---|---|---|
| Expiration age for evented data (in seconds), applied once the data is queried. | int | all:
vars:
deam_fleet_config_agent_opts_events_expiry: 300
|
| Maximum number of events to buffer in the backing store while waiting for a query to "drain" them. | int | all:
vars:
deam_fleet_config_agent_opts_events_max: 500000
|
| Minimum level for status log recording. Use the following values: | int | all:
vars:
deam_fleet_config_agent_opts_logger_min_status: 1
|
| Amount of time that the EA will wait between periodically checking in with a distributed query server to see if there are any queries to execute. | int | all:
vars:
deam_fleet_config_agent_opts_distributed_interval: 60
|
| Only in 1.3.0. Configuration refresh interval in seconds. | int | all:
vars:
deam_fleet_config_agent_opts_config_refresh: 900
|
| Total number of attempts that will be made to the remote distributed query server if a request fails when using the tls distributed plugin. | int | all:
vars:
deam_fleet_config_agent_opts_distributed_tls_max_attempts: 3
|
| Disable distributed queries functionality. | boolean | all:
vars:
deam_fleet_config_agent_opts_disable_distributed: false
|
| Number of seconds before checking for buffered logs. Results are sent to the TLS endpoint in intervals, not on demand. | int | all:
vars:
deam_fleet_config_agent_opts_logger_tls_period: 30
|
| Enable or disable GZIP compression for request bodies when sending. | boolean | all:
vars:
deam_fleet_config_agent_opts_logger_tls_compress: true
|
| Percent to splay config times. The query schedule often includes several queries with the same interval. | int | all:
vars:
deam_fleet_config_agent_opts_schedule_splay_percent: 10
|
| Only in 1.3.0. Reuse TLS session sockets. | boolean | all:
vars:
deam_fleet_config_agent_opts_tls_session_reuse: false
|
| List of Windows Event Log channels for osquery to subscribe to. | string | all:
vars:
deam_fleet_config_agent_opts_win_windows_event_channels: System,Application,Setup,Security,Microsoft-Windows-PowerShell/Operational,ForwardedEvents
|
Name | Description | Type | Sample (with default values) |
|---|---|---|---|
| General options related to the way the EA Client behaves for all endpoints. You can add flags supported by osquery in this section. | dict | all:
vars:
deam_fleet_config_agent_opts: {}
|
| Options related to the way the EA Client behaves for Linux endpoints. You can add flags supported by osquery in this section. | dict | all:
vars:
deam_fleet_config_agent_opts_nix: {}
|
| Options related to the way the EA Client behaves for Windows endpoints. You can add flags supported by osquery in this section. | dict | all:
vars:
deam_fleet_config_agent_opts_win: {}
|
| Options related to the way the EA Client behaves for macOS endpoints. You can add flags supported by osquery in this section. | dict | all:
vars:
deam_fleet_config_agent_opts_darwin: {}
|
EA supported options. Keep in mind that following samples are not necessarily the default values. | |||
| Expiration age for evented data (in seconds), applied once the data is queried. | int | all:
vars:
deam_fleet_config_agent_opts:
events_expiry: 300
events_max: 500000
logger_min_status: 1
distributed_interval: 60
config_refresh: 900
distributed_tls_max_attempts: 3
disable_distributed: false
logger_tls_period: 30
logger_tls_compress: true
schedule_splay_percent: 10
tls_session_reuse: false
distributed_plugin: tls
distributed_tls_read_endpoint: /api/v1/osquery/distributed/read
distributed_tls_write_endpoint: /api/v1/osquery/distributed/write
logger_plugin: tls
logger_snapshot_event_type: true
logger_tls_endpoint: /api/v1/osquery/log
pack_delimiter: /
deam_fleet_config_agent_opts_nix:
audit_allow_config: true
audit_allow_sockets: true
audit_persist: true
disable_audit: false
enable_syslog: true
deam_fleet_config_agent_opts_win:
windows_event_channels: System,Application,Setup,Security,Microsoft-Windows-PowerShell/Operational,ForwardedEvents
deam_fleet_config_agent_opts_darwin:
audit_allow_config: true
audit_allow_sockets: true
disable_audit: false
|
| Maximum number of events to buffer in the backing store while waiting for a query to "drain" them. | int | |
| Minimum level for status log recording. Use the following values: | int | |
| Amount of time that the EA will wait between periodically checking in with a distributed query server to see if there are any queries to execute. | int | |
| Only in 1.3.0. Configuration refresh interval in seconds. | int | |
| Total number of attempts that will be made to the remote distributed query server if a request fails when using the tls distributed plugin. | int | |
| Disable distributed queries functionality. | boolean | |
| Number of seconds before checking for buffered logs. Results are sent to the TLS endpoint in intervals, not on demand. | int | |
| Enable or disable GZIP compression for request bodies when sending. Same as | boolean | |
| Percent to splay config times. The query schedule often includes several queries with the same interval. | int | |
| Only in 1.3.0. Reuse TLS session sockets. Same as | boolean | |
| List of Windows Event Log channels for osquery to subscribe to. |
| |
| The URI path which will be used, in conjunction with | string | |
| The URI path which will be used, in conjunction with | string | |
| Only in 1.3.0. Logger plugin name. | fixed | |
| Log scheduled snapshot results as events, similar to differential results. | boolean | |
| The tls endpoint path when using the tls logger plugin. | string | |
| Control the delimiter between pack name and pack query names. | string | |
| Allows or prevents osquery from making changes to the audit configuration settings. | boolean | |
| Allow the audit publisher to install socket-related rules. | boolean | |
| Instructs osquery to regain the audit netlink socket if another process also accesses it. | boolean | |
| Allow or prevents osquery from opening the kernel audit's netlink socket. | boolean | |
| Turn on the syslog ingestion event publisher. | boolean | |
| List of Windows Event Log channels for osquery to subscribe to. Same as | string | |
Agent/OSQuery Flags (agent configuration file). Only from 1.3.1
Name | Description | Type | Sample (with default value) |
|---|---|---|---|
| Configuration refresh interval in seconds. | int | dea_osq_config_refresh: 900 |
| Enable ( | string | dea_osq_tls_session_reuse: "false" |
| Logger plugin for results of scheduled queries. | string | dea_osq_logger_plugin: tls |
| Plugin to look for new distributed queries. | string | dea_osq_distributed_plugin: tls |
| Plugin to load distributed configuration. | string | dea_osq_config_plugin: tls |
“[]” and “{}” values are used in yaml to declare the value of a key as list or dict when it is empty.
Extension options
Name | Description | Type | Sample (with default values) |
|---|---|---|---|
| Default destination in Devo for all ingested files. Can be overriden in the patterns options. | string | all:
vars:
deam_fleet_config_devoext_fetchfiles_default_tag: box.devo_ea.files
|
| Total size in bytes per processed chunk. | int | all:
vars:
deam_fleet_config_devoext_fetchfiles_buffer_size: 131072
|
| Max number of processed events per chunk. | int | all:
vars:
deam_fleet_config_devoext_fetchfiles_buffer_max_number_of_parts_per_file: 2000
|
| Specifies the interval in which the agent will look for updates of the configuration of the Files Fetcher extension in the EAM. Can be expressed in seconds (s), minutes (m) and hours (h). | Duration | all:
vars:
deam_fleet_config_devoext_fetchfiles_config_refresh: 10m
|
Name | Description | Type | Sample (with default values) |
|---|---|---|---|
| FetchFiles watchdog general options (for all endpoints regardless of OS). | dict | all:
vars:
deam_fleet_config_devoext_fetchfiles_watchdog_opts: {}
|
| FetchFiles watchdog options, only for Linux endpoints. This flag overrides the general one. | dict | all:
vars:
deam_fleet_config_devoext_fetchfiles_watchdog_nix: {}
|
| FetchFiles watchdog options, only for Windows endpoints. | dict | all:
vars:
deam_fleet_config_devoext_fetchfiles_watchdog_win:
allow_empty_paths: true
|
| FetchFiles watchdog options, only for macOS endpoints. | dict | all:
vars:
deam_fleet_config_devoext_fetchfiles_watchdog_darwin: {}
|
FetchFiles watchdog supported options. Keep in mind that the following samples are not necessarily the default values. | |||
| Number of parallel file processing. If this file is less than 2, no kind of file processing in parallel is used. | int | all:
vars:
deam_fleet_config_devoext_fetchfiles_watchdog_nix:
max_concurrent_files: 100
scan_each: 1m
max_file_part_size: 1048576
allow_empty_paths: false
|
| Defines the minimum interval between SQL queries to run fresh scans for new files. | duration | |
| Max number of processed events per chunk. | int | |
| Allow empty paths. | boolean | |
Name | Description | Type | Sample (with default values) |
|---|---|---|---|
| Definition of files scanning paths along with their respective scanning options for Linux endpoints. | dict | all:
vars:
deam_fleet_config_devoext_fetchfiles_paths_nix:
- pattern: /var/log/**/*log
|
| Definition of files scanning paths along with their respective scanning options for Windows endpoints. | dict | all:
vars:
deam_fleet_config_devoext_fetchfiles_paths_win: []
|
| Definition of files scanning paths along with their respective scanning options for macOS endpoints. | dict | all:
vars:
deam_fleet_config_devoext_fetchfiles_paths_darwin:
- pattern: /var/log/system.log
|
FetchFiles pattern level supported options. Keep in mind that following samples are not necessarily the default values. | |||
| Destination in Devo for all ingested files. | string | all:
vars:
deam_fleet_config_devoext_fetchfiles_paths_win:
- pattern: /var/log/httpd/access_log
tag: web.apache.access-combined.pro.ltdemo.www1
payload_format: c:event
- pattern: C:\flog\logs\xml\notes_xml?.log
content_separator: <note>
file_processor: multiline
- pattern: C:\flog\logs\apache\**\error*log
threshold_file_modification_time: -5s
|
| Allows you to remove the JSON wrapper around each event sent to Devo so the events are sent “as is”. | fixed | |
| Defines an event delimiter string. By default, events are processed as full line events. | string | |
| Allows you to set a multiline events processing in conjunction with the content_separator string. Default value is fixed (single-line events). | fixed | |
| Negative number in duration format that represents the time the File Fetcher needs to consider that an event is fully written. | Duration | |
Decorator options
Name | Description | Type | Sample (with default values) |
|---|---|---|---|
| Run these decorators (queries) when the configuration loads (or is reloaded). | list | all:
vars:
deam_fleet_config_extra_decorators:
- SELECT uuid AS host_uuid FROM system_info;
- SELECT hostname AS hostname FROM system_info;
- SELECT address as hostIp FROM interface_details id join interface_addresses ia on ia.interface = id.interface where length(mac) > 0 and ia.address LIKE '%.%' order by (ibytes + obytes) desc LIMIT 1;
- SELECT value AS tls_hostname FROM osquery_flags WHERE name = 'tls_hostname';
- SELECT platform AS platform FROM os_version;
- SELECT filename as agent_tags FROM file WHERE path like "/etc/osquery/agent-tags/%" or path like "/private/var/osquery/agent-tags/%" or path like "C:\Program Files\osquery\agent-tags\%" LIMIT 1;
|
| Run these decorators (queries) when the configuration loads (or is reloaded). | list | all:
vars:
deam_fleet_config_extra_decorators_nix: []
|
| Run these decorators (queries) when the configuration loads (or is reloaded). | list | all:
vars:
deam_fleet_config_extra_decorators_win: []
|
| Run these decorators (queries) when the configuration loads (or is reloaded). | list | all:
vars:
deam_fleet_config_extra_decorators_darwin: []
|
| Run these decorators (queries) before each query in the schedule. | list | all:
vars:
deam_fleet_config_extra_decorators_always: []
|
| Run these decorators (queries) before each query in the schedule. | list | all:
vars:
deam_fleet_config_extra_decorators_always_nix: []
|
| Run these decorators (queries) before each query in the schedule. | list | all:
vars:
deam_fleet_config_extra_decorators_always_win: []
|
| Run these decorators (queries) before each query in the schedule. | list | all:
vars:
deam_fleet_config_extra_decorators_always_darwin: []
|
| Special key that defines a map of interval times (with duration as key and a list of queries as value). | dict | all:
vars:
deam_fleet_config_extra_decorators_interval: {}
|
| Special key that defines a map of interval times (with duration as key and a list of queries as value). | dict | all:
vars:
deam_fleet_config_extra_decorators_interval_nix: {}
|
| Special key that defines a map of interval times (with duration as key and a list of queries as value). | dict | all:
vars:
deam_fleet_config_extra_decorators_interval_win: {}
|
| Special key that defines a map of interval times (with duration as key and a list of queries as value). | dict | all:
vars:
deam_fleet_config_extra_decorators_interval_darwin: {}
|
| all:
vars:
deam_fleet_config_extra_decorators_interval:
3600:
- SELECT uuid AS host_uuid FROM system_info;
- SELECT total_seconds AS uptime FROM uptime;
| ||
“[]” and “{}” values are used in yaml to declare the value of a key as list or dict when it is empty.
Via Web UI (all versions) and via Ansible (EA 1.2.1 or previous)
Older versions like 1.2.1 or previous had a different way to add or change these options. In the uncompressed EAM directory, you need to modify the $HOME/devo-ea-deployer/playbooks/roles/deam-packs/files/devo-packs/options.yaml file and add or modify the flags in the corresponding sections.
Linux
Windows
macOS
Web UI changes keep names and keys, so if you want to make the changes non-persistent in the browser, you need to use these flags too.
Linux
Windows
macOS
Flags table
Agent/OSQuery options
Name | Description | Type | Sample (with default values) |
|---|---|---|---|
| Expiration age for evented data (in seconds), applied once the data is queried. | int | apiVersion: v1
kind: config
spec:
common:
config:
options:
events_expiry: 300
events_max: 500000
logger_min_status: 1
distributed_interval: 60
config_refresh: 900
distributed_tls_max_attempts: 3
disable_distributed: false
logger_tls_period: 30
logger_tls_compress: true
schedule_splay_percent: 10
tls_session_reuse: false
distributed_plugin: tls
distributed_tls_read_endpoint: /api/v1/osquery/distributed/read
distributed_tls_write_endpoint: /api/v1/osquery/distributed/write
logger_plugin: tls
logger_snapshot_event_type: true
logger_tls_endpoint: /api/v1/osquery/log
pack_delimiter: /
audit_allow_config: true
audit_allow_sockets: true
audit_persist: true
disable_audit: false
enable_syslog: true
overrides:
platforms:
windows:
options:
windows_event_channels: System,Application,Setup,Security,Microsoft-Windows-PowerShell/Operational,ForwardedEvents
darwin:
options:
audit_allow_config: true
audit_allow_sockets: true
disable_audit: false
|
| Maximum number of events to buffer in the backing store while waiting for a query to "drain" them. | int | |
| Minimum level for status log recording. Use the following values: | int | |
| Amount of time that the EA waits before periodically checking in with a distributed query server to see if there are any queries to execute. | int | |
| Configuration refresh interval in seconds. | int | |
| Total number of attempts that are made to the remote distributed query server if a request fails when using the tls distributed plugin. | int | |
| Disable distributed queries functionality. | boolean | |
| Number of seconds before checking for buffered logs. Results are sent to the TLS endpoint in intervals, not on demand. | int | |
| Enable or disable GZIP compression for request bodies when sending. | boolean | |
| Percent to splay config times. The query schedule often includes several queries with the same interval. | int | |
| Reuse TLS session sockets. | boolean | |
| List of Windows Event Log channels for osquery to subscribe to. |
| |
| The URI path which will be used, in conjunction with | string | |
| The URI path which will be used, in conjunction with | string | |
| Logger plugin name. | fixed | |
| Log scheduled snapshot results as events, similar to differential results. | boolean | |
| The tls endpoint path when using the tls logger plugin. | string | |
| Control the delimiter between pack name and pack query names. | string | |
| Allows or prevents osquery from making changes to the audit configuration settings. | boolean | |
| Allow the audit publisher to install socket-related rules. | boolean | |
| Instructs osquery to regain the audit netlink socket if another process also accesses it. | boolean | |
| Allows or prevents osquery from opening the kernel audit's netlink socket. | boolean | |
| Turn on the syslog ingestion event publisher. | boolean | |
| List of Windows Event Log channels for osquery to subscribe to. Same as | string |
Extension options
Name | Description | Type | Sample (with default value) |
|---|---|---|---|
watchdog → | General destination in Devo for all ingested files. Applies to all patterns. | string | apiVersion: v1
kind: options
spec:
common:
config:
devo_extensions:
fetchfiles:
config_refresh: 10m
watchdog:
tag: box.devo_ea.files
file_buffer_size: 131072
max_number_of_parts_per_file: 2000
max_concurrent_files: 100
scan_each: 1m
max_file_part_size: 1048576
allow_empty_paths: false
paths:
- pattern: /var/log/syslog
tag: my.app.custom.tag
- pattern: /var/log/system.log
payload_format: c:event
- pattern: C:\Program Files (x86)\Apache Software Foundation\Tomcat*\logs\*
content_separator: '^_!'
file_processor: multiline
- pattern: C:\Program Files\Apache Software Foundation\Tomcat*\logs\*
threshold_file_modification_time: -5s
|
watchdog → | Total size in bytes per processed chunk. | int | |
watchdog → | Max number of processed events per chunk. | int | |
| Specifies the interval in which the agent looks for updates of the configuration of the FilesFetcher extension in the EAM. Can be expressed in seconds (s), minutes (m) and hours (h). | duration | |
watchdog → | Number of parallel file processing. If this file is less than 2, no kind of file processing in parallel is used. | int | |
watchdog → | Minimum period between SQL queries to run new scan for new files. | duration | |
watchdog → | Max number of processed events per chunk. | int | |
watchdog → | Allow empty paths. | boolean | |
pattern → | Destination in Devo for all ingested files. Overrides default one. | string | |
pattern → | Allows the user to remove the JSON wrapper around each event sent to Devo so the events are sent “as is”. | fixed | |
pattern → | Defines an event delimiter string. By default, events are processed as full line events. | string | |
pattern → | Allows setting a multiline events processing in conjunction with the content_separator string. Default value is fixed (single-line events). | fixed | |
pattern → | Negative number in duration format that represents the time the File Fetcher needs to consider that an event is fully written. | Duration |
Decorator options
Name | Description | Type | Sample (with default value) |
|---|---|---|---|
| Run these decorators (queries) when the configuration loads (or is reloaded). | list | apiVersion: v1
kind: options
spec:
common:
config:
decorators:
load:
- SELECT uuid AS host_uuid FROM system_info;
- SELECT hostname AS hostname FROM system_info;
always:
- SELECT address as hostIp FROM interface_details id join interface_addresses ia on ia.interface = id.interface where length(mac) > 0 and ia.address LIKE '%.%' order by (ibytes + obytes) desc LIMIT 1;
- SELECT value AS tls_hostname FROM osquery_flags WHERE name = 'tls_hostname';
interval:
3600:
- SELECT platform AS platform FROM os_version;
- SELECT filename as agent_tags FROM file WHERE path like "/etc/osquery/agent-tags/%" or path like "/private/var/osquery/agent-tags/%" or path like "C:\Program Files\osquery\agent-tags\%" LIMIT 1;
|
| Run these decorators (queries) before each query in the schedule. | list | |
| Special key that defines a map of interval times (with duration as key and a list of queries as value). | dict |