Joining Hosts to Fleet

Guide on How to Join OSQuery Hosts to Fleet

How to Join a Windows OSQuery Hosts

Navigate to the Fleet website, log in as the admin user, go to hosts and select "Add new host". Download the Enroll Secret, Server Certificate, and Flag File.

Next, open an administrator PowerShell Window so that files can be moved to where they need to be placed.

cd ~/Downloads
mv .\secret.txt 'C:\Program Files\osquery\secret.txt'
mv .\fleet.pem 'C:\Program Files\osquery\fleet.pem'
rm 'C:\Program Files\osquery\osquery.flags'
mv .\flagfile.txt 'C:\Program Files\osquery\osquery.flags'

Next, edit 'C:\Program Files\osquery\osquery.flags' to ensure that the first three lines of it look like this.

--enroll_secret_path=C:\Program Files\osquery\secret.txt
--tls_server_certs=C:\Program Files\osquery\fleet.pem
--tls_hostname=(YOUR IP or HOSTNAME HERE)

Note: Be sure to use the full path names for the enroll secret path and TLS server certificate. Be sure to put in IP address of server hosting FleetDM for TLS hostname as well.

The rest of the lines in the flag file are good to be set with the defaults. Finally, Restart or Start the osqueryd service.

Restart-Service osqueryd
Start-Service osqueryd

Now, the Windows 10 Host should be on the list of hosts on FleetDM like below!

How to Join a Linux OSQuery Host

In order to join a Linux OSQuery host, get the server certificate, enrollment secret, and OSQuery flag files all set up in /etc/osquery/. 

sudo -i
cd /etc/osquery/
openssl s_client -showcerts -connect <FLEETDM IP>:<FLEETDM PORT> 2>/dev/null </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/osquery/fleetdm.crt
echo 'ENROLL SECRET' > /etc/osquery/osquery.key
wget https://raw.githubusercontent.com/richnadeau/OSQuery-Training-Course/main/FleetDM/linux/osquery_linux.flags -O /etc/osquery/osquery.flags

Make sure to edit the osquery.flags file so that the FleetDM FQDN is inserted in {{ fleetdm_fqdn }} and the FleetDM port is inserted in {{ fleetdm_port }}. After this, restart the OSQuery service to join the host.

systemctl restart osqueryd
PreviousFleetDM SetupNextCreating New Queries on Fleet

Last updated