Create Labels on Fleet DB

[anelshaer]

Labels are really useful to segment and categories Hosts. but labels are queries that run on each system. it make more sense to have to kinds of labels:

• Normal Query Labels (Currently used)
• Labels on Fleet DB (Data collected by Fleet)

Examples: when you want to create a hosts Labels, get all hosts that have "%.dev.%" this will run on all hosts. but it make more sense to just run on DB. SELECT * FROM system_info where hostname like '%.dev.%'; basically any information that is known to be in the DB, it make more sense to run that label on the DB and not query all hosts.

[noahtalerman]

Hi @anelshaer. Great suggestion. Why does it make more sense for you to have these two kinds of labels? Why would you rather have the query in your example run on the Fleet DB instead of all hosts?

[anelshaer]

Hi Noah,

Labels that is based on packages, config file, or something that needs system check would make sense to run on each system. Labels that runs os system info, osquery info, or data gather by fleet like the hostname for example, seeing these queries and running them on each osquery agent, it have some processing like other queries, it also generate logs in osqeueryd.INFO like examples below.

i suggest to have the option to run them on DB, and both of them would also have a frequency set like i noticed the labels run each hour i guess.

Executing distributed query: kolide_label_query_36: select 1 from file where path="/etc/rsyslog.d/osquery.conf";
Executing distributed query: kolide_label_query_37: SELECT 1 FROM system_info where hostname like "%.dev.%";
Executing distributed query: kolide_label_query_38: SELECT 1 FROM system_info WHERE hostname NOT LIKE "%.dev.%";
Executing distributed query: kolide_label_query_39: SELECT 1 FROM system_info where hostname like 'php%';
Executing distributed query: kolide_label_query_40: SELECT 1 FROM osquery_info where version != '4.3.0';
Executing distributed query: kolide_label_query_47: SELECT 1 FROM system_info where hostname like 'php-qt2.dev.%' or hostname like 'php-m67.dev.%' ;

[noahtalerman]

Are the goals you mentioned in this comment (separate issue) related to your goals with creating two kinds of labels? More specifically, is the idea that having these two kinds of labels will help you minimize the number of queries and log output?

[anelshaer]

Yes exactly Noah, this is one of the benefits it will minimize the number of queries and logs on each host. provide a mean to group hosts which you can target with queries on the fly and no need to query every host initially to get the targets.

another thing to highlight, if you are investigating some machines usually you want to keep it under the radar so creating a query that describes the machines/targets could tip off and expose your search/investigation.

[zwass]

Just heard another request for this while speaking with a customer today.

[anelshaer]

Hhhh, this was a year ago, glad its useful. I can certainly speak to that and tell you it’s very useful and going to save a ton of queries being run on machines and noisy logging etc.

On Mon 20. Dec 2021 at 11:56 PM, Zach Wasserman @.***> wrote:

Just heard another request for this while speaking with a customer today.

— Reply to this email directly, view it on GitHub https://github.com/fleetdm/fleet/issues/105#issuecomment-998330208, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA7F5JKUF6AM5UU3DL3BSCLUR6YC3ANCNFSM4UR46XTA . You are receiving this because you were mentioned.Message ID: @.***>