Open GurbanV opened 3 weeks ago
noahtalerman
commented
3 weeks ago Hey @GurbanV, thanks for tracking this.
@georgekarrv, do you have a local instance of Fleet? If so, can you please paste the output of fleet --help in the comments here?
We're curious what the entire output looks like. We're wondering if we haven't been updating the output with new configuration options.
georgekarrv
commented
3 weeks ago Fleet server (https://fleetdm.com)
Configurable Options:
Options may be supplied in a yaml configuration file or via environment
variables. You only need to define the configuration values for which you
wish to override the default value.
Usage:
fleet [command]
Available Commands:
completion Generate the autocompletion script for the specified shell
config_dump Dump the parsed configuration in yaml format
help Help about any command
prepare Subcommands for initializing Fleet infrastructure
serve Launch the Fleet server
version Print Fleet version
vuln_processing Run the vulnerability processing features of Fleet
Flags:
--activity_audit_log_plugin string Env: FLEET_ACTIVITY_AUDIT_LOG_PLUGIN
Log plugin to use for audit logs (default "filesystem")
--activity_enable_audit_log Env: FLEET_ACTIVITY_ENABLE_AUDIT_LOG
Enable audit logs
--app_enable_scheduled_query_stats Env: FLEET_APP_ENABLE_SCHEDULED_QUERY_STATS
If true (default) it gets scheduled query stats from hosts (default true)
--app_invite_token_validity_period duration Env: FLEET_APP_INVITE_TOKEN_VALIDITY_PERIOD
Duration invite tokens remain valid (i.e. 1h) (default 120h0m0s)
--app_token_key string Env: FLEET_APP_TOKEN_KEY
Secret key for generating invite and reset tokens (default "CHANGEME")
--app_token_key_size int Env: FLEET_APP_TOKEN_KEY_SIZE
Size of generated tokens (default 24)
--auth_bcrypt_cost int Env: FLEET_AUTH_BCRYPT_COST
Bcrypt iterations (default 12)
--auth_salt_key_size int Env: FLEET_AUTH_SALT_KEY_SIZE
Size of salt for passwords (default 24)
--calendar_periodicity duration Env: FLEET_CALENDAR_PERIODICITY
How much time to wait between processing calendar integration.
-c, --config string Path to a configuration file
--email_backend string Env: FLEET_EMAIL_BACKEND
Provide the email backend type, acceptable values are currently "ses" and "default" or empty string which will default to SMTP
--filesystem_audit_log_file string Env: FLEET_FILESYSTEM_AUDIT_LOG_FILE
Log file path to use for audit logs (default "/tmp/audit")
--filesystem_enable_log_compression Env: FLEET_FILESYSTEM_ENABLE_LOG_COMPRESSION
Enable compression for the rotated osquery log files
--filesystem_enable_log_rotation Env: FLEET_FILESYSTEM_ENABLE_LOG_ROTATION
Enable automatic rotation for osquery log files
--filesystem_max_age int Env: FLEET_FILESYSTEM_MAX_AGE
Maximum number of days to retain old log files based on the timestamp encoded in their filename. Setting to zero wil retain old log files indefinitely (only valid if enable_log_rotation is true) default is 28 days (default 28)
--filesystem_max_backups int Env: FLEET_FILESYSTEM_MAX_BACKUPS
Maximum number of old log files to retain. Setting to zero will retain all old log files (only valid if enable_log_rotation is true) default is 3 (default 3)
--filesystem_max_size int Env: FLEET_FILESYSTEM_MAX_SIZE
Maximum size in megabytes log files will grow until rotated (only valid if enable_log_rotation is true) default is 500MB (default 500)
--filesystem_result_log_file string Env: FLEET_FILESYSTEM_RESULT_LOG_FILE
Log file path to use for result logs (default "/tmp/osquery_result")
--filesystem_status_log_file string Env: FLEET_FILESYSTEM_STATUS_LOG_FILE
Log file path to use for status logs (default "/tmp/osquery_status")
--firehose_access_key_id string Env: FLEET_FIREHOSE_ACCESS_KEY_ID
Access Key ID for AWS authentication
--firehose_audit_stream string Env: FLEET_FIREHOSE_AUDIT_STREAM
Firehose stream name for audit logs
--firehose_endpoint_url string Env: FLEET_FIREHOSE_ENDPOINT_URL
AWS Service Endpoint to use (leave empty for default service endpoints)
--firehose_region string Env: FLEET_FIREHOSE_REGION
AWS Region to use
--firehose_result_stream string Env: FLEET_FIREHOSE_RESULT_STREAM
Firehose stream name for result logs
--firehose_secret_access_key string Env: FLEET_FIREHOSE_SECRET_ACCESS_KEY
Secret Access Key for AWS authentication
--firehose_status_stream string Env: FLEET_FIREHOSE_STATUS_STREAM
Firehose stream name for status logs
--firehose_sts_assume_role_arn string Env: FLEET_FIREHOSE_STS_ASSUME_ROLE_ARN
ARN of role to assume for AWS
--firehose_sts_external_id string Env: FLEET_FIREHOSE_STS_EXTERNAL_ID
Optional unique identifier that can be used by the principal assuming the role to assert its identity.
--geoip_database_path string Env: FLEET_GEOIP_DATABASE_PATH
path to mmdb file
-h, --help help for fleet
--kafkarest_audit_topic string Env: FLEET_KAFKAREST_AUDIT_TOPIC
Kafka REST topic for audit logs
--kafkarest_content_type_value string Env: FLEET_KAFKAREST_CONTENT_TYPE_VALUE
Kafka REST proxy content type header (defaults to "application/vnd.kafka.json.v1+json" (default "application/vnd.kafka.json.v1+json")
--kafkarest_proxyhost string Env: FLEET_KAFKAREST_PROXYHOST
Kafka REST proxy host url
--kafkarest_result_topic string Env: FLEET_KAFKAREST_RESULT_TOPIC
Kafka REST topic for result logs
--kafkarest_status_topic string Env: FLEET_KAFKAREST_STATUS_TOPIC
Kafka REST topic for status logs
--kafkarest_timeout int Env: FLEET_KAFKAREST_TIMEOUT
Kafka REST proxy json post timeout (default 5)
--kinesis_access_key_id string Env: FLEET_KINESIS_ACCESS_KEY_ID
Access Key ID for AWS authentication
--kinesis_audit_stream string Env: FLEET_KINESIS_AUDIT_STREAM
Kinesis stream name for audit logs
--kinesis_endpoint_url string Env: FLEET_KINESIS_ENDPOINT_URL
AWS Service Endpoint to use (leave empty for default service endpoints)
--kinesis_region string Env: FLEET_KINESIS_REGION
AWS Region to use
--kinesis_result_stream string Env: FLEET_KINESIS_RESULT_STREAM
Kinesis stream name for result logs
--kinesis_secret_access_key string Env: FLEET_KINESIS_SECRET_ACCESS_KEY
Secret Access Key for AWS authentication
--kinesis_status_stream string Env: FLEET_KINESIS_STATUS_STREAM
Kinesis stream name for status logs
--kinesis_sts_assume_role_arn string Env: FLEET_KINESIS_STS_ASSUME_ROLE_ARN
ARN of role to assume for AWS
--kinesis_sts_external_id string Env: FLEET_KINESIS_STS_EXTERNAL_ID
Optional unique identifier that can be used by the principal assuming the role to assert its identity.
--lambda_access_key_id string Env: FLEET_LAMBDA_ACCESS_KEY_ID
Access Key ID for AWS authentication
--lambda_audit_function string Env: FLEET_LAMBDA_AUDIT_FUNCTION
Lambda function name for audit logs
--lambda_region string Env: FLEET_LAMBDA_REGION
AWS Region to use
--lambda_result_function string Env: FLEET_LAMBDA_RESULT_FUNCTION
Lambda function name for result logs
--lambda_secret_access_key string Env: FLEET_LAMBDA_SECRET_ACCESS_KEY
Secret Access Key for AWS authentication
--lambda_status_function string Env: FLEET_LAMBDA_STATUS_FUNCTION
Lambda function name for status logs
--lambda_sts_assume_role_arn string Env: FLEET_LAMBDA_STS_ASSUME_ROLE_ARN
ARN of role to assume for AWS
--lambda_sts_external_id string Env: FLEET_LAMBDA_STS_EXTERNAL_ID
Optional unique identifier that can be used by the principal assuming the role to assert its identity.
--license_enforce_host_limit Env: FLEET_LICENSE_ENFORCE_HOST_LIMIT
Enforce license limit of enrolled hosts
--license_key string Env: FLEET_LICENSE_KEY
Fleet license key (to enable Fleet Premium features)
--logging_debug Env: FLEET_LOGGING_DEBUG
Enable debug logging
--logging_disable_banner Env: FLEET_LOGGING_DISABLE_BANNER
Disable startup banner
--logging_error_retention_period duration Env: FLEET_LOGGING_ERROR_RETENTION_PERIOD
Amount of time to keep errors, 0 means no expiration, < 0 means disable storage of errors (default 24h0m0s)
--logging_json Env: FLEET_LOGGING_JSON
Log in JSON format
--logging_tracing_enabled Env: FLEET_LOGGING_TRACING_ENABLED
Enable Tracing, further configured via standard env variables
--logging_tracing_type string Env: FLEET_LOGGING_TRACING_TYPE
Select the kind of tracing, defaults to opentelemetry, can also be elasticapm (default "opentelemetry")
--mdm_apple_apns_cert string Env: FLEET_MDM_APPLE_APNS_CERT
Apple APNs PEM-encoded certificate path
--mdm_apple_apns_cert_bytes string Env: FLEET_MDM_APPLE_APNS_CERT_BYTES
Apple APNs PEM-encoded certificate bytes
--mdm_apple_apns_key string Env: FLEET_MDM_APPLE_APNS_KEY
Apple APNs PEM-encoded private key path
--mdm_apple_apns_key_bytes string Env: FLEET_MDM_APPLE_APNS_KEY_BYTES
Apple APNs PEM-encoded private key bytes
--mdm_apple_bm_cert string Env: FLEET_MDM_APPLE_BM_CERT
Apple Business Manager PEM-encoded certificate path
--mdm_apple_bm_cert_bytes string Env: FLEET_MDM_APPLE_BM_CERT_BYTES
Apple Business Manager PEM-encoded certificate bytes
--mdm_apple_bm_key string Env: FLEET_MDM_APPLE_BM_KEY
Apple Business Manager PEM-encoded private key path
--mdm_apple_bm_key_bytes string Env: FLEET_MDM_APPLE_BM_KEY_BYTES
Apple Business Manager PEM-encoded private key bytes
--mdm_apple_bm_server_token string Env: FLEET_MDM_APPLE_BM_SERVER_TOKEN
Apple Business Manager encrypted server token path (.p7m file)
--mdm_apple_bm_server_token_bytes string Env: FLEET_MDM_APPLE_BM_SERVER_TOKEN_BYTES
Apple Business Manager encrypted server token bytes
--mdm_apple_dep_sync_periodicity duration Env: FLEET_MDM_APPLE_DEP_SYNC_PERIODICITY
How much time to wait for DEP profile assignment (default 1m0s)
--mdm_apple_enable Env: FLEET_MDM_APPLE_ENABLE
Enable MDM Apple functionality
--mdm_apple_scep_cert string Env: FLEET_MDM_APPLE_SCEP_CERT
Apple SCEP PEM-encoded certificate path
--mdm_apple_scep_cert_bytes string Env: FLEET_MDM_APPLE_SCEP_CERT_BYTES
Apple SCEP PEM-encoded certificate bytes
--mdm_apple_scep_challenge string Env: FLEET_MDM_APPLE_SCEP_CHALLENGE
SCEP static challenge for enrollment
--mdm_apple_scep_key string Env: FLEET_MDM_APPLE_SCEP_KEY
Apple SCEP PEM-encoded private key path
--mdm_apple_scep_key_bytes string Env: FLEET_MDM_APPLE_SCEP_KEY_BYTES
Apple SCEP PEM-encoded private key bytes
--mdm_apple_scep_signer_allow_renewal_days int Env: FLEET_MDM_APPLE_SCEP_SIGNER_ALLOW_RENEWAL_DAYS
Allowable renewal days for client certificates (default 14)
--mdm_apple_scep_signer_validity_days int Env: FLEET_MDM_APPLE_SCEP_SIGNER_VALIDITY_DAYS
Days signed client certificates will be valid (default 365)
--mysql_address string Env: FLEET_MYSQL_ADDRESS
MySQL server address (host:port). (default "localhost:3306")
--mysql_conn_max_lifetime int Env: FLEET_MYSQL_CONN_MAX_LIFETIME
MySQL maximum amount of time a connection may be reused.
--mysql_database string Env: FLEET_MYSQL_DATABASE
MySQL database name. (default "fleet")
--mysql_max_idle_conns int Env: FLEET_MYSQL_MAX_IDLE_CONNS
MySQL maximum idle connection handles. (default 50)
--mysql_max_open_conns int Env: FLEET_MYSQL_MAX_OPEN_CONNS
MySQL maximum open connection handles. (default 50)
--mysql_password string Env: FLEET_MYSQL_PASSWORD
MySQL server password (prefer env variable for security).
--mysql_password_path string Env: FLEET_MYSQL_PASSWORD_PATH
Path to file containg MySQL server password.
--mysql_protocol string Env: FLEET_MYSQL_PROTOCOL
MySQL server communication protocol (tcp,unix,...). (default "tcp")
--mysql_read_replica_address string Env: FLEET_MYSQL_READ_REPLICA_ADDRESS
MySQL server address (host:port) for the read replica.
--mysql_read_replica_conn_max_lifetime int Env: FLEET_MYSQL_READ_REPLICA_CONN_MAX_LIFETIME
MySQL maximum amount of time a connection may be reused for the read replica.
--mysql_read_replica_database string Env: FLEET_MYSQL_READ_REPLICA_DATABASE
MySQL database name for the read replica. (default "fleet")
--mysql_read_replica_max_idle_conns int Env: FLEET_MYSQL_READ_REPLICA_MAX_IDLE_CONNS
MySQL maximum idle connection handles for the read replica. (default 50)
--mysql_read_replica_max_open_conns int Env: FLEET_MYSQL_READ_REPLICA_MAX_OPEN_CONNS
MySQL maximum open connection handles for the read replica. (default 50)
--mysql_read_replica_password string Env: FLEET_MYSQL_READ_REPLICA_PASSWORD
MySQL server password (prefer env variable for security) for the read replica.
--mysql_read_replica_password_path string Env: FLEET_MYSQL_READ_REPLICA_PASSWORD_PATH
Path to file containg MySQL server password for the read replica.
--mysql_read_replica_protocol string Env: FLEET_MYSQL_READ_REPLICA_PROTOCOL
MySQL server communication protocol (tcp,unix,...) for the read replica. (default "tcp")
--mysql_read_replica_sql_mode string Env: FLEET_MYSQL_READ_REPLICA_SQL_MODE
MySQL sql_mode for the read replica.
--mysql_read_replica_tls_ca string Env: FLEET_MYSQL_READ_REPLICA_TLS_CA
MySQL TLS server CA for the read replica.
--mysql_read_replica_tls_cert string Env: FLEET_MYSQL_READ_REPLICA_TLS_CERT
MySQL TLS client certificate path for the read replica.
--mysql_read_replica_tls_config string Env: FLEET_MYSQL_READ_REPLICA_TLS_CONFIG
MySQL TLS config value for the read replica. Use skip-verify, true, false or custom key.
--mysql_read_replica_tls_key string Env: FLEET_MYSQL_READ_REPLICA_TLS_KEY
MySQL TLS client key path for the read replica.
--mysql_read_replica_tls_server_name string Env: FLEET_MYSQL_READ_REPLICA_TLS_SERVER_NAME
MySQL TLS server name for the read replica.
--mysql_read_replica_username string Env: FLEET_MYSQL_READ_REPLICA_USERNAME
MySQL server username for the read replica. (default "fleet")
--mysql_sql_mode string Env: FLEET_MYSQL_SQL_MODE
MySQL sql_mode.
--mysql_tls_ca string Env: FLEET_MYSQL_TLS_CA
MySQL TLS server CA.
--mysql_tls_cert string Env: FLEET_MYSQL_TLS_CERT
MySQL TLS client certificate path.
--mysql_tls_config string Env: FLEET_MYSQL_TLS_CONFIG
MySQL TLS config value. Use skip-verify, true, false or custom key.
--mysql_tls_key string Env: FLEET_MYSQL_TLS_KEY
MySQL TLS client key path.
--mysql_tls_server_name string Env: FLEET_MYSQL_TLS_SERVER_NAME
MySQL TLS server name.
--mysql_username string Env: FLEET_MYSQL_USERNAME
MySQL server username. (default "fleet")
--osquery_async_host_collect_interval string Env: FLEET_OSQUERY_ASYNC_HOST_COLLECT_INTERVAL
Interval to collect asynchronous host-reported query results (e.g. '30s' or set per task 'label_membership=10s&policy_membership=1m') (default "30s")
--osquery_async_host_collect_lock_timeout string Env: FLEET_OSQUERY_ASYNC_HOST_COLLECT_LOCK_TIMEOUT
Timeout of the exclusive lock held during async host collection (e.g., '30s' or set per task 'label_membership=10s&policy_membership=1m' (default "1m0s")
--osquery_async_host_collect_log_stats_interval duration Env: FLEET_OSQUERY_ASYNC_HOST_COLLECT_LOG_STATS_INTERVAL
Interval at which async host collection statistics are logged (0 disables logging of stats) (default 1m0s)
--osquery_async_host_collect_max_jitter_percent int Env: FLEET_OSQUERY_ASYNC_HOST_COLLECT_MAX_JITTER_PERCENT
Maximum percentage of the interval to collect asynchronous host results (default 10)
--osquery_async_host_delete_batch int Env: FLEET_OSQUERY_ASYNC_HOST_DELETE_BATCH
Batch size for async collection deletes in mysql (default 2000)
--osquery_async_host_insert_batch int Env: FLEET_OSQUERY_ASYNC_HOST_INSERT_BATCH
Batch size for async collection inserts in mysql (default 2000)
--osquery_async_host_redis_pop_count int Env: FLEET_OSQUERY_ASYNC_HOST_REDIS_POP_COUNT
Batch size to pop items from redis in async collection (default 1000)
--osquery_async_host_redis_scan_keys_count int Env: FLEET_OSQUERY_ASYNC_HOST_REDIS_SCAN_KEYS_COUNT
Batch size to scan redis keys in async collection (default 1000)
--osquery_async_host_update_batch int Env: FLEET_OSQUERY_ASYNC_HOST_UPDATE_BATCH
Batch size for async collection updates in mysql (default 1000)
--osquery_detail_update_interval duration Env: FLEET_OSQUERY_DETAIL_UPDATE_INTERVAL
Interval to update host details (i.e. 1h) (default 1h0m0s)
--osquery_enable_async_host_processing string Env: FLEET_OSQUERY_ENABLE_ASYNC_HOST_PROCESSING
Enable asynchronous processing of host-reported query results (either 'true'/'false' or set per task, e.g., 'label_membership=true&policy_membership=true') (default "false")
--osquery_enable_log_rotation Env: FLEET_OSQUERY_ENABLE_LOG_ROTATION
(DEPRECATED: Use filesystem.enable_log_rotation) Enable automatic rotation for osquery log files
--osquery_enroll_cooldown duration Env: FLEET_OSQUERY_ENROLL_COOLDOWN
Cooldown period for duplicate host enrollment (default off)
--osquery_host_identifier string Env: FLEET_OSQUERY_HOST_IDENTIFIER
Identifier used to uniquely determine osquery clients (default "provided")
--osquery_label_update_interval duration Env: FLEET_OSQUERY_LABEL_UPDATE_INTERVAL
Interval to update host label membership (i.e. 1h) (default 1h0m0s)
--osquery_max_jitter_percent int Env: FLEET_OSQUERY_MAX_JITTER_PERCENT
Maximum percentage of the interval to add as jitter (default 10)
--osquery_min_software_last_opened_at_diff duration Env: FLEET_OSQUERY_MIN_SOFTWARE_LAST_OPENED_AT_DIFF
Minimum time difference of the software's last opened timestamp (compared to the last one saved) to trigger an update to the database (default 1h0m0s)
--osquery_node_key_size int Env: FLEET_OSQUERY_NODE_KEY_SIZE
Size of generated osqueryd node keys (default 24)
--osquery_policy_update_interval duration Env: FLEET_OSQUERY_POLICY_UPDATE_INTERVAL
Interval to update host policy membership (i.e. 1h) (default 1h0m0s)
--osquery_result_log_file string Env: FLEET_OSQUERY_RESULT_LOG_FILE
(DEPRECATED: Use filesystem.result_log_file) Path for osqueryd result logs
--osquery_result_log_plugin string Env: FLEET_OSQUERY_RESULT_LOG_PLUGIN
Log plugin to use for result logs (default "filesystem")
--osquery_status_log_file string Env: FLEET_OSQUERY_STATUS_LOG_FILE
(DEPRECATED: Use filesystem.status_log_file) Path for osqueryd status logs
--osquery_status_log_plugin string Env: FLEET_OSQUERY_STATUS_LOG_PLUGIN
Log plugin to use for status logs (default "filesystem")
--packaging_global_enroll_secret string Env: FLEET_PACKAGING_GLOBAL_ENROLL_SECRET
Enroll secret to be used for the global domain (instead of randomly generating one)
--packaging_s3_access_key_id string Env: FLEET_PACKAGING_S3_ACCESS_KEY_ID
Access Key ID for AWS authentication
--packaging_s3_bucket string Env: FLEET_PACKAGING_S3_BUCKET
Bucket where to retrieve installers
--packaging_s3_disable_ssl Env: FLEET_PACKAGING_S3_DISABLE_SSL
Disable SSL (typically for local testing)
--packaging_s3_endpoint_url string Env: FLEET_PACKAGING_S3_ENDPOINT_URL
AWS Service Endpoint to use (leave blank for default service endpoints)
--packaging_s3_force_s3_path_style http://s3.amazonaws.com/BUCKET/KEY Env: FLEET_PACKAGING_S3_FORCE_S3_PATH_STYLE
Set this to true to force path-style addressing, i.e., http://s3.amazonaws.com/BUCKET/KEY
--packaging_s3_prefix string Env: FLEET_PACKAGING_S3_PREFIX
Prefix under which installers are stored
--packaging_s3_region string Env: FLEET_PACKAGING_S3_REGION
AWS Region (if blank region is derived)
--packaging_s3_secret_access_key string Env: FLEET_PACKAGING_S3_SECRET_ACCESS_KEY
Secret Access Key for AWS authentication
--packaging_s3_sts_assume_role_arn string Env: FLEET_PACKAGING_S3_STS_ASSUME_ROLE_ARN
ARN of role to assume for AWS
--packaging_s3_sts_external_id string Env: FLEET_PACKAGING_S3_STS_EXTERNAL_ID
Optional unique identifier that can be used by the principal assuming the role to assert its identity.
--prometheus_basic_auth_disable Env: FLEET_PROMETHEUS_BASIC_AUTH_DISABLE
Disable HTTP Basic Auth for Prometheus
--prometheus_basic_auth_password string Env: FLEET_PROMETHEUS_BASIC_AUTH_PASSWORD
Prometheus password for HTTP Basic Auth
--prometheus_basic_auth_username string Env: FLEET_PROMETHEUS_BASIC_AUTH_USERNAME
Prometheus username for HTTP Basic Auth
--pubsub_add_attributes Env: FLEET_PUBSUB_ADD_ATTRIBUTES
Add PubSub attributes in addition to the message body
--pubsub_audit_topic string Env: FLEET_PUBSUB_AUDIT_TOPIC
PubSub topic for audit logs
--pubsub_project string Env: FLEET_PUBSUB_PROJECT
Google Cloud Project to use
--pubsub_result_topic string Env: FLEET_PUBSUB_RESULT_TOPIC
PubSub topic for result logs
--pubsub_status_topic string Env: FLEET_PUBSUB_STATUS_TOPIC
PubSub topic for status logs
--redis_address string Env: FLEET_REDIS_ADDRESS
Redis server address (host:port) (default "localhost:6379")
--redis_cluster_follow_redirections Env: FLEET_REDIS_CLUSTER_FOLLOW_REDIRECTIONS
Automatically follow Redis Cluster redirections
--redis_cluster_read_from_replica Env: FLEET_REDIS_CLUSTER_READ_FROM_REPLICA
Prefer reading from a replica when possible (for Redis Cluster)
--redis_conn_max_lifetime duration Env: FLEET_REDIS_CONN_MAX_LIFETIME
Redis maximum amount of time a connection may be reused, 0 means no limit
--redis_conn_wait_timeout duration Env: FLEET_REDIS_CONN_WAIT_TIMEOUT
Redis maximum amount of time to wait for a connection if the maximum is reached (0 for no wait)
--redis_connect_retry_attempts int Env: FLEET_REDIS_CONNECT_RETRY_ATTEMPTS
Number of attempts to retry a failed connection
--redis_connect_timeout duration Env: FLEET_REDIS_CONNECT_TIMEOUT
Timeout at connection time (default 5s)
--redis_database int Env: FLEET_REDIS_DATABASE
Redis server database number
--redis_duplicate_results Env: FLEET_REDIS_DUPLICATE_RESULTS
Duplicate Live Query results to another Redis channel
--redis_idle_timeout duration Env: FLEET_REDIS_IDLE_TIMEOUT
Redis maximum amount of time a connection may stay idle, 0 means no limit (default 4m0s)
--redis_keep_alive duration Env: FLEET_REDIS_KEEP_ALIVE
Interval between keep alive probes (default 10s)
--redis_max_idle_conns int Env: FLEET_REDIS_MAX_IDLE_CONNS
Redis maximum idle connections (default 3)
--redis_max_open_conns int Env: FLEET_REDIS_MAX_OPEN_CONNS
Redis maximum open connections, 0 means no limit
--redis_password string Env: FLEET_REDIS_PASSWORD
Redis server password (prefer env variable for security)
--redis_read_timeout duration Env: FLEET_REDIS_READ_TIMEOUT
Redis maximum amount of time to wait for a read (receive) on a connection (default 10s)
--redis_tls_ca string Env: FLEET_REDIS_TLS_CA
Redis TLS server CA
--redis_tls_cert string Env: FLEET_REDIS_TLS_CERT
Redis TLS client certificate path
--redis_tls_handshake_timeout duration Env: FLEET_REDIS_TLS_HANDSHAKE_TIMEOUT
Redis TLS handshake timeout (default 10s)
--redis_tls_key string Env: FLEET_REDIS_TLS_KEY
Redis TLS client key path
--redis_tls_server_name string Env: FLEET_REDIS_TLS_SERVER_NAME
Redis TLS server name
--redis_use_tls Env: FLEET_REDIS_USE_TLS
Redis server enable TLS
--redis_username string Env: FLEET_REDIS_USERNAME
Redis server username
--redis_write_timeout duration Env: FLEET_REDIS_WRITE_TIMEOUT
Redis maximum amount of time to wait for a write (send) on a connection (default 10s)
--s3_carves_access_key_id string Env: FLEET_S3_CARVES_ACCESS_KEY_ID
Access Key ID for AWS authentication
--s3_carves_bucket string Env: FLEET_S3_CARVES_BUCKET
Bucket where to store file carves
--s3_carves_disable_ssl Env: FLEET_S3_CARVES_DISABLE_SSL
Disable SSL (typically for local testing)
--s3_carves_endpoint_url string Env: FLEET_S3_CARVES_ENDPOINT_URL
AWS Service Endpoint to use (leave blank for default service endpoints)
--s3_carves_force_s3_path_style http://s3.amazonaws.com/BUCKET/KEY Env: FLEET_S3_CARVES_FORCE_S3_PATH_STYLE
Set this to true to force path-style addressing, i.e., http://s3.amazonaws.com/BUCKET/KEY
--s3_carves_prefix string Env: FLEET_S3_CARVES_PREFIX
Prefix under which carves are stored
--s3_carves_region string Env: FLEET_S3_CARVES_REGION
AWS Region (if blank region is derived)
--s3_carves_secret_access_key string Env: FLEET_S3_CARVES_SECRET_ACCESS_KEY
Secret Access Key for AWS authentication
--s3_carves_sts_assume_role_arn string Env: FLEET_S3_CARVES_STS_ASSUME_ROLE_ARN
ARN of role to assume for AWS
--s3_carves_sts_external_id string Env: FLEET_S3_CARVES_STS_EXTERNAL_ID
Optional unique identifier that can be used by the principal assuming the role to assert its identity.
--s3_software_installers_access_key_id string Env: FLEET_S3_SOFTWARE_INSTALLERS_ACCESS_KEY_ID
Access Key ID for AWS authentication
--s3_software_installers_bucket string Env: FLEET_S3_SOFTWARE_INSTALLERS_BUCKET
Bucket where to store uploaded software installers
--s3_software_installers_disable_ssl Env: FLEET_S3_SOFTWARE_INSTALLERS_DISABLE_SSL
Disable SSL (typically for local testing)
--s3_software_installers_endpoint_url string Env: FLEET_S3_SOFTWARE_INSTALLERS_ENDPOINT_URL
AWS Service Endpoint to use (leave blank for default service endpoints)
--s3_software_installers_force_s3_path_style http://s3.amazonaws.com/BUCKET/KEY Env: FLEET_S3_SOFTWARE_INSTALLERS_FORCE_S3_PATH_STYLE
Set this to true to force path-style addressing, i.e., http://s3.amazonaws.com/BUCKET/KEY
--s3_software_installers_prefix string Env: FLEET_S3_SOFTWARE_INSTALLERS_PREFIX
Prefix under which software installers are stored
--s3_software_installers_region string Env: FLEET_S3_SOFTWARE_INSTALLERS_REGION
AWS Region (if blank region is derived)
--s3_software_installers_secret_access_key string Env: FLEET_S3_SOFTWARE_INSTALLERS_SECRET_ACCESS_KEY
Secret Access Key for AWS authentication
--s3_software_installers_sts_assume_role_arn string Env: FLEET_S3_SOFTWARE_INSTALLERS_STS_ASSUME_ROLE_ARN
ARN of role to assume for AWS
--s3_software_installers_sts_external_id string Env: FLEET_S3_SOFTWARE_INSTALLERS_STS_EXTERNAL_ID
Optional unique identifier that can be used by the principal assuming the role to assert its identity.
--sentry_dsn string Env: FLEET_SENTRY_DSN
DSN for Sentry
--server_address string Env: FLEET_SERVER_ADDRESS
Fleet server address (host:port) (default "0.0.0.0:8080")
--server_cert string Env: FLEET_SERVER_CERT
Fleet TLS certificate path (default "./tools/osquery/fleet.crt")
--server_frequent_cleanups_enabled Env: FLEET_SERVER_FREQUENT_CLEANUPS_ENABLED
Enable frequent cleanups of expired data (15 minute interval)
--server_keepalive Env: FLEET_SERVER_KEEPALIVE
Controls whether HTTP keep-alives are enabled. (default true)
--server_key string Env: FLEET_SERVER_KEY
Fleet TLS key path (default "./tools/osquery/fleet.key")
--server_private_key string Env: FLEET_SERVER_PRIVATE_KEY
Used for encrypting sensitive data, such as MDM certificates.
--server_tls Env: FLEET_SERVER_TLS
Enable TLS (required for osqueryd communication) (default true)
--server_tls_compatibility string Env: FLEET_SERVER_TLS_COMPATIBILITY
TLS security profile choose one of modern or intermediate (default "intermediate")
--server_url_prefix string Env: FLEET_SERVER_URL_PREFIX
URL prefix used on server and frontend endpoints
--server_websockets_allow_unsafe_origin Env: FLEET_SERVER_WEBSOCKETS_ALLOW_UNSAFE_ORIGIN
Disable checking the origin header on websocket connections, this is sometimes necessary when proxies rewrite origin headers between the client and the Fleet webserver
--ses_access_key_id string Env: FLEET_SES_ACCESS_KEY_ID
Access Key ID for AWS authentication
--ses_endpoint_url string Env: FLEET_SES_ENDPOINT_URL
AWS Service Endpoint to use (leave empty for default service endpoints)
--ses_region string Env: FLEET_SES_REGION
AWS Region to use
--ses_secret_access_key string Env: FLEET_SES_SECRET_ACCESS_KEY
Secret Access Key for AWS authentication
--ses_source_arn string Env: FLEET_SES_SOURCE_ARN
ARN of the identity that is associated with the sending authorization policy that permits you to send for the email address specified in the Source parameter
--ses_sts_assume_role_arn string Env: FLEET_SES_STS_ASSUME_ROLE_ARN
ARN of role to assume for AWS
--ses_sts_external_id string Env: FLEET_SES_STS_EXTERNAL_ID
Optional unique identifier that can be used by the principal assuming the role to assert its identity.
--session_duration duration Env: FLEET_SESSION_DURATION
Duration session keys remain valid (i.e. 4h) (default 120h0m0s)
--session_key_size int Env: FLEET_SESSION_KEY_SIZE
Size of generated session keys (default 64)
--upgrades_allow_missing_migrations Env: FLEET_UPGRADES_ALLOW_MISSING_MIGRATIONS
Allow serve to run even if migrations are missing.
--vulnerabilities_cpe_database_url string Env: FLEET_VULNERABILITIES_CPE_DATABASE_URL
URL from which to get the latest CPE database. If empty, it will be downloaded from the latest release available at https://github.com/fleetdm/nvd/releases.
--vulnerabilities_cpe_translations_url string Env: FLEET_VULNERABILITIES_CPE_TRANSLATIONS_URL
URL from which to get the latest CPE translations. If empty, it will be downloaded from the latest release available at https://github.com/fleetdm/nvd/releases.
--vulnerabilities_current_instance_checks string Env: FLEET_VULNERABILITIES_CURRENT_INSTANCE_CHECKS
Allows to manually select an instance to do the vulnerability processing. (default "auto")
--vulnerabilities_cve_feed_prefix_url string Env: FLEET_VULNERABILITIES_CVE_FEED_PREFIX_URL
Prefix URL for the CVE data feed. If empty, default to https://nvd.nist.gov/
--vulnerabilities_databases_path string Env: FLEET_VULNERABILITIES_DATABASES_PATH
Path where Fleet will download the data feeds to check CVEs (default "/tmp/vulndbs")
--vulnerabilities_disable_data_sync Env: FLEET_VULNERABILITIES_DISABLE_DATA_SYNC
Skips synchronizing data streams and expects them to be available in the databases_path.
--vulnerabilities_disable_schedule Env: FLEET_VULNERABILITIES_DISABLE_SCHEDULE
Set this to true when the vulnerability processing job is scheduled by an external mechanism
--vulnerabilities_disable_win_os_vulnerabilities Env: FLEET_VULNERABILITIES_DISABLE_WIN_OS_VULNERABILITIES
Don't sync installed Windows updates nor perform Windows OS vulnerability processing.
--vulnerabilities_periodicity duration Env: FLEET_VULNERABILITIES_PERIODICITY
How much time to wait between processing software for vulnerabilities. (default 1h0m0s)
--vulnerabilities_recent_vulnerability_max_age duration Env: FLEET_VULNERABILITIES_RECENT_VULNERABILITY_MAX_AGE
Maximum age of the published date of a vulnerability (CVE) to be considered 'recent'. (default 720h0m0s)
Use "fleet [command] --help" for more information about a command.Thanks @georgekarrv!
I updated this issue to a bug.
Thanks for catching this @GurbanV
Fleet version: 4.58.0
💥 Actual behavior
Currently, the
fleet --helpoutput does not include these Windows MDM config options:--mdm_windows_wstep_identity_cert_bytesand--mdm_windows_wstep_identity_key_bytesFull
fleet --helpoutput is in the comment here.🧑💻 Steps to reproduce
Run
fleet --help🛠️ To fix
Add flags and descriptions for
--mdm_windows_wstep_identity_cert_bytesand--mdm_windows_wstep_identity_key_bytesto thefleet --helpoutput, so users can easily find and configure these options directly from the CLI.