Endpoint Agent client configuration flags

deam_fleet_config_agent_opts_events_expiry

Expiration age for evented data (in seconds), applied once the data is queried.

int

deam_fleet_config_agent_opts_events_max

Maximum number of events to buffer in the backing store while waiting for a query to "drain" them.

int

deam_fleet_config_agent_opts_logger_min_status

Minimum level for status log recording. Use the following values: INFO = 0, WARNING = 1, ERROR = 2. To disable all status messages use 3 or higher.

int

deam_fleet_config_agent_opts_distributed_interval

Amount of time that the EA will wait between periodically checking in with a distributed query server to see if there are any queries to execute.

int

deam_fleet_config_agent_opts_config_refresh

Only in 1.3.0. Configuration refresh interval in seconds.

int

deam_fleet_config_agent_opts_distributed_tls_max_attempts

Total number of attempts that will be made to the remote distributed query server if a request fails when using the tls distributed plugin.

int

deam_fleet_config_agent_opts_disable_distributed

Disable distributed queries functionality.

boolean

deam_fleet_config_agent_opts_logger_tls_period

Number of seconds before checking for buffered logs. Results are sent to the TLS endpoint in intervals, not on demand.

int

deam_fleet_config_agent_opts_logger_tls_compress

Enable or disable GZIP compression for request bodies when sending.

boolean

deam_fleet_config_agent_opts_schedule_splay_percent

Percent to splay config times. The query schedule often includes several queries with the same interval.

int

deam_fleet_config_agent_opts_tls_session_reuse

Only in 1.3.0. Reuse TLS session sockets.

boolean

deam_fleet_config_agent_opts_win_windows_event_channels

List of Windows Event Log channels for osquery to subscribe to.

string

deam_fleet_config_agent_opts

General options related to the way the EA Client behaves for all endpoints. You can add flags supported by osquery in this section.

dict

deam_fleet_config_agent_opts_nix

Options related to the way the EA Client behaves for Linux endpoints. You can add flags supported by osquery in this section.
Overrides general ones.

dict

deam_fleet_config_agent_opts_win

Options related to the way the EA Client behaves for Windows endpoints. You can add flags supported by osquery in this section.
Overrides general ones.

dict

deam_fleet_config_agent_opts_darwin

Options related to the way the EA Client behaves for macOS endpoints. You can add flags supported by osquery in this section.
Overrides general ones.

dict

EA supported options. Keep in mind that following samples are not necessarily the default values.

events_expiry

Expiration age for evented data (in seconds), applied once the data is queried.
Same as deam_fleet_config_agent_opts_events_expiry.

int

events_max

Maximum number of events to buffer in the backing store while waiting for a query to "drain" them.
Same as deam_fleet_config_agent_opts_events_max.

int

logger_min_status

Minimum level for status log recording. Use the following values: INFO = 0, WARNING = 1, ERROR = 2. To disable all status messages use 3 or higher.
Same as deam_fleet_config_agent_opts_logger_min_status.

int

distributed_interval

Amount of time that the EA will wait between periodically checking in with a distributed query server to see if there are any queries to execute.
Same as deam_fleet_config_agent_opts_distributed_interval.

int

config_refresh

Only in 1.3.0. Configuration refresh interval in seconds.
Same as deam_fleet_config_agent_opts_config_refresh.

int

distributed_tls_max_attempts

Total number of attempts that will be made to the remote distributed query server if a request fails when using the tls distributed plugin.
Same as deam_fleet_config_agent_opts_distributed_tls_max_attempts.

int

disable_distributed

Disable distributed queries functionality.
Same as deam_fleet_config_agent_opts_disable_distributed.

boolean

logger_tls_period

Number of seconds before checking for buffered logs. Results are sent to the TLS endpoint in intervals, not on demand.
Same as deam_fleet_config_agent_opts_logger_tls_period.

int

logger_tls_compress

Enable or disable GZIP compression for request bodies when sending.

Same as deam_fleet_config_agent_opts_logger_tls_compress.

boolean

schedule_splay_percent

Percent to splay config times. The query schedule often includes several queries with the same interval.
Same as deam_fleet_config_agent_opts_schedule_splay_percent

int

tls_session_reuse

Only in 1.3.0. Reuse TLS session sockets.

Same as deam_fleet_config_agent_opts_tls_session_reuse.

boolean

distributed_plugin

List of Windows Event Log channels for osquery to subscribe to.

distributed_tls_read_endpoint

The URI path which will be used, in conjunction with tls_hostname, to create the remote URI for retrieving distributed queries when using the tls distributed plugin.

string

distributed_tls_write_endpoint

The URI path which will be used, in conjunction with tls_hostname, to create the remote URI for submitting the results of distributed queries when using the tls distributed plugin.

string

logger_plugin

Only in 1.3.0. Logger plugin name.
Accepted values: filesystem, tls, syslog

fixed

logger_snapshot_event_type

Log scheduled snapshot results as events, similar to differential results.

boolean

logger_tls_endpoint

The tls endpoint path when using the tls logger plugin.

string

pack_delimiter

Control the delimiter between pack name and pack query names.

string

audit_allow_config

Allows or prevents osquery from making changes to the audit configuration settings.
Only for Linux and macOS endpoints.

boolean

audit_allow_sockets

Allow the audit publisher to install socket-related rules.
Only for Linux and macOS endpoints.

boolean

audit_persist

Instructs osquery to regain the audit netlink socket if another process also accesses it.
Only for Linux endpoints.

boolean

disable_audit

Allow or prevents osquery from opening the kernel audit's netlink socket.
Only for Linux and macOS endpoints.

boolean

enable_syslog

Turn on the syslog ingestion event publisher.
Only for Linux endpoints.

boolean

windows_event_channels

List of Windows Event Log channels for osquery to subscribe to. Same as deam_fleet_config_agent_opts_win_windows_event_channels.
Only for Windows endpoints.

string

dea_osq_config_refresh

Configuration refresh interval in seconds.

int

dea_osq_tls_session_reuse

Enable ("true") the reuse of the session between agent and manager.
Be careful when enabling this feature as its performance might be affected when session is reused.
In most cases this feature should be disabled ("false").

string

dea_osq_logger_plugin

Logger plugin for results of scheduled queries.
Default value must not be changed in common scenarios.

string

dea_osq_distributed_plugin

Plugin to look for new distributed queries.
Default value must not be changed in common scenarios.

string

dea_osq_config_plugin: tls

Plugin to load distributed configuration.
Default value must not be changed in common scenarios.

string

deam_fleet_config_devoext_fetchfiles_default_tag

Default destination in Devo for all ingested files. Can be overriden in the patterns options.

string

deam_fleet_config_devoext_fetchfiles_buffer_size

Total size in bytes per processed chunk.

int

deam_fleet_config_devoext_fetchfiles_buffer_max_number_of_parts_per_file

Max number of processed events per chunk.

int

deam_fleet_config_devoext_fetchfiles_config_refresh

Specifies the interval in which the agent will look for updates of the configuration of the Files Fetcher extension in the EAM. Can be expressed in seconds (s), minutes (m) and hours (h).

Duration

deam_fleet_config_devoext_fetchfiles_watchdog_opts

FetchFiles watchdog general options (for all endpoints regardless of OS).

dict

deam_fleet_config_devoext_fetchfiles_watchdog_nix

FetchFiles watchdog options, only for Linux endpoints. This flag overrides the general one.

dict

deam_fleet_config_devoext_fetchfiles_watchdog_win

FetchFiles watchdog options, only for Windows endpoints.

dict

deam_fleet_config_devoext_fetchfiles_watchdog_darwin

FetchFiles watchdog options, only for macOS endpoints.

dict

FetchFiles watchdog supported options. Keep in mind that the following samples are not necessarily the default values.

max_concurrent_files

Number of parallel file processing. If this file is less than 2, no kind of file processing in parallel is used.

int

scan_each

Defines the minimum interval between SQL queries to run fresh scans for new files.

duration

max_file_part_size

Max number of processed events per chunk.

int

allow_empty_paths

Allow empty paths.

boolean

deam_fleet_config_devoext_fetchfiles_paths_nix

Definition of files scanning paths along with their respective scanning options for Linux endpoints.

dict

deam_fleet_config_devoext_fetchfiles_paths_win

Definition of files scanning paths along with their respective scanning options for Windows endpoints.

dict

deam_fleet_config_devoext_fetchfiles_paths_darwin

Definition of files scanning paths along with their respective scanning options for macOS endpoints.

dict

FetchFiles pattern level supported options. Keep in mind that following samples are not necessarily the default values.

tag

Destination in Devo for all ingested files.

string

payload_format

Allows you to remove the JSON wrapper around each event sent to Devo so the events are sent “as is”.
Accepted values: c:event

fixed

content_separator

Defines an event delimiter string. By default, events are processed as full line events.

string

file_processor

Allows you to set a multiline events processing in conjunction with the content_separator string. Default value is fixed (single-line events).
Accepted values: fixed, multiline

fixed

threshold_file_modification_time

Negative number in duration format that represents the time the File Fetcher needs to consider that an event is fully written.

Duration

deam_fleet_config_extra_decorators

Run these decorators (queries) when the configuration loads (or is reloaded).
Applies to all endpoints regardless of OS.

list

deam_fleet_config_extra_decorators_nix

Run these decorators (queries) when the configuration loads (or is reloaded).
Applies only to Linux endpoints overriding the general one.

list

deam_fleet_config_extra_decorators_win

Run these decorators (queries) when the configuration loads (or is reloaded).
Applies only to Windows endpoints overriding the general one.

list

deam_fleet_config_extra_decorators_darwin

Run these decorators (queries) when the configuration loads (or is reloaded).
Applies only to macOS endpoints overriding the general one.

list

deam_fleet_config_extra_decorators_always

Run these decorators (queries) before each query in the schedule.
Applies to all endpoints regardless of OS.

list

deam_fleet_config_extra_decorators_always_nix

Run these decorators (queries) before each query in the schedule.
Applies only to Linux endpoints overriding the general one.

list

deam_fleet_config_extra_decorators_always_win

Run these decorators (queries) before each query in the schedule.
Applies only to Windows endpoints overriding the general one.

list

deam_fleet_config_extra_decorators_always_darwin

Run these decorators (queries) before each query in the schedule.
Applies only to macOS endpoints overriding the general one.

list

deam_fleet_config_extra_decorators_interval

Special key that defines a map of interval times (with duration as key and a list of queries as value).
Applies to all endpoints regardless of OS.

dict

deam_fleet_config_extra_decorators_interval_nix

Special key that defines a map of interval times (with duration as key and a list of queries as value).
Applies only to Linux endpoints overriding the general one.

dict

deam_fleet_config_extra_decorators_interval_win

Special key that defines a map of interval times (with duration as key and a list of queries as value).
Applies only to Windows endpoints overriding the general one.

dict

deam_fleet_config_extra_decorators_interval_darwin

Special key that defines a map of interval times (with duration as key and a list of queries as value).
Applies only to macOS endpoints overriding the general one.

dict

deam_fleet_config_extra_decorators_interval sample without default values

events_expiry

Expiration age for evented data (in seconds), applied once the data is queried.

int

events_max

Maximum number of events to buffer in the backing store while waiting for a query to "drain" them.

int

logger_min_status

Minimum level for status log recording. Use the following values: INFO = 0, WARNING = 1, ERROR = 2. To disable all status messages use 3 or higher.

int

distributed_interval

Amount of time that the EA waits before periodically checking in with a distributed query server to see if there are any queries to execute.

int

config_refresh

Configuration refresh interval in seconds.

int

distributed_tls_max_attempts

Total number of attempts that are made to the remote distributed query server if a request fails when using the tls distributed plugin.

int

disable_distributed

Disable distributed queries functionality.

boolean

logger_tls_period

Number of seconds before checking for buffered logs. Results are sent to the TLS endpoint in intervals, not on demand.

int

logger_tls_compress

Enable or disable GZIP compression for request bodies when sending.

boolean

schedule_splay_percent

Percent to splay config times. The query schedule often includes several queries with the same interval.

int

tls_session_reuse

Reuse TLS session sockets.

boolean

distributed_plugin

List of Windows Event Log channels for osquery to subscribe to.

distributed_tls_read_endpoint

The URI path which will be used, in conjunction with tls_hostname, to create the remote URI for retrieving distributed queries when using the tls distributed plugin.

string

distributed_tls_write_endpoint

The URI path which will be used, in conjunction with tls_hostname, to create the remote URI for submitting the results of distributed queries when using the tls distributed plugin.

string

logger_plugin

Logger plugin name.
Accepted values: filesystem, tls, syslog

fixed

logger_snapshot_event_type

Log scheduled snapshot results as events, similar to differential results.

boolean

logger_tls_endpoint

The tls endpoint path when using the tls logger plugin.

string

pack_delimiter

Control the delimiter between pack name and pack query names.

string

audit_allow_config

Allows or prevents osquery from making changes to the audit configuration settings.
Only for Linux and macOS endpoints.

boolean

audit_allow_sockets

Allow the audit publisher to install socket-related rules.
Only for Linux and macOS endpoints.

boolean

audit_persist

Instructs osquery to regain the audit netlink socket if another process also accesses it.
Only for Linux endpoints.

boolean

disable_audit

Allows or prevents osquery from opening the kernel audit's netlink socket.
Only for Linux and macOS endpoints.

boolean

enable_syslog

Turn on the syslog ingestion event publisher.
Only for Linux endpoints.

boolean

windows_event_channels

List of Windows Event Log channels for osquery to subscribe to. Same as deam_fleet_config_agent_opts_win_windows_event_channels.
Only for Windows endpoints.

string

watchdog → tag

General destination in Devo for all ingested files. Applies to all patterns.

string

watchdog → file_buffer_size

Total size in bytes per processed chunk.

int

watchdog → max_number_of_parts_per_file

Max number of processed events per chunk.

int

config_refresh

Specifies the interval in which the agent looks for updates of the configuration of the FilesFetcher extension in the EAM. Can be expressed in seconds (s), minutes (m) and hours (h).

duration

watchdog → max_concurrent_files

Number of parallel file processing. If this file is less than 2, no kind of file processing in parallel is used.

int

watchdog → scan_each

Minimum period between SQL queries to run new scan for new files.

duration

watchdog → max_file_part_size

Max number of processed events per chunk.

int

watchdog → allow_empty_paths

Allow empty paths.

boolean

pattern → tag

Destination in Devo for all ingested files. Overrides default one.

string

pattern → payload_format

Allows the user to remove the JSON wrapper around each event sent to Devo so the events are sent “as is”.
Accepted values: c:event

fixed

pattern → content_separator

Defines an event delimiter string. By default, events are processed as full line events.

string

pattern → file_processor

Allows setting a multiline events processing in conjunction with the content_separator string. Default value is fixed (single-line events).
Accepted values: fixed, multiline

fixed

pattern → threshold_file_modification_time

Negative number in duration format that represents the time the File Fetcher needs to consider that an event is fully written.

Duration

load

Run these decorators (queries) when the configuration loads (or is reloaded).

list

always

Run these decorators (queries) before each query in the schedule.

list

interval

Special key that defines a map of interval times (with duration as key and a list of queries as value).

dict