OSQuery Training
  • ℹī¸Info
    • What is OSQuery?
  • đŸ–Ĩī¸Installation Guides
    • đŸĨDebian + Ubuntu Based Systems
    • 🎩Red Hat, CentOS and Fedora Systems
    • đŸĒŸWindows Based Systems
  • 🔰Using OSQuery
    • Basic Queries
  • 💠FleetDM Guides
    • FleetDM Setup
    • Joining Hosts to Fleet
    • Creating New Queries on Fleet
  • 📗Lesson 1
    • Mespinoza/Pysa Ransomware
    • Hunting Mespinoza/Pysa
  • 📙Lesson 2
    • Pay2Key Ransomware
    • Hunting Pay2Key
Powered by GitBook
On this page
  1. FleetDM Guides

Joining Hosts to Fleet

Guide on How to Join OSQuery Hosts to Fleet

PreviousFleetDM SetupNextCreating New Queries on Fleet

Last updated 2 years ago

How to Join a Windows OSQuery Hosts

Navigate to the Fleet website, log in as the admin user, go to hosts and select "Add new host". Download the Enroll Secret, Server Certificate, and Flag File.

Next, open an administrator PowerShell Window so that files can be moved to where they need to be placed.

cd ~/Downloads
mv .\secret.txt 'C:\Program Files\osquery\secret.txt'
mv .\fleet.pem 'C:\Program Files\osquery\fleet.pem'
rm 'C:\Program Files\osquery\osquery.flags'
mv .\flagfile.txt 'C:\Program Files\osquery\osquery.flags'

Next, edit 'C:\Program Files\osquery\osquery.flags' to ensure that the first three lines of it look like this.

--enroll_secret_path=C:\Program Files\osquery\secret.txt
--tls_server_certs=C:\Program Files\osquery\fleet.pem
--tls_hostname=(YOUR IP or HOSTNAME HERE)

Note: Be sure to use the full path names for the enroll secret path and TLS server certificate. Be sure to put in IP address of server hosting FleetDM for TLS hostname as well.

The rest of the lines in the flag file are good to be set with the defaults. Finally, Restart or Start the osqueryd service.

Restart-Service osqueryd
Start-Service osqueryd

Now, the Windows 10 Host should be on the list of hosts on FleetDM like below!

How to Join a Linux OSQuery Host

In order to join a Linux OSQuery host, get the server certificate, enrollment secret, and OSQuery flag files all set up in /etc/osquery/. 

sudo -i
cd /etc/osquery/
openssl s_client -showcerts -connect <FLEETDM IP>:<FLEETDM PORT> 2>/dev/null </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/osquery/fleetdm.crt
echo 'ENROLL SECRET' > /etc/osquery/osquery.key
wget https://raw.githubusercontent.com/richnadeau/OSQuery-Training-Course/main/FleetDM/linux/osquery_linux.flags -O /etc/osquery/osquery.flags

Make sure to edit the osquery.flags file so that the FleetDM FQDN is inserted in {{ fleetdm_fqdn }} and the FleetDM port is inserted in {{ fleetdm_port }}. After this, restart the OSQuery service to join the host.

systemctl restart osqueryd
💠
Fleet Files
Windows 10 Host Joined
Linux Host Joined