Sign in

Fleet Device Management
Open source endpoint visibility

Fleet 4.1.0 released with Schedule and Activity feed features

Fleet 4.1.0 is now available to increase the usability and maturity of your Fleet deployment with Schedule for making the ability to collect data from your devices faster and Activity feed for easily monitoring changes made to your Fleet and osquery deployment.

For the complete summary of changes and release binaries check out the release notes on GitHub.

Easier data collection for increased usability

Deciding what, and how often, data is sent to a configured log destination, is vital to our customers’ success, and we want to make it easier for new and experienced users of Fleet…

Fleet 4.0.0 released with Role-based access control and Teams features

Fleet 4.0.0 is now available to spread the power of Fleet throughout your organization, with Teams for separating devices into exclusive groups, Role-based access control to define a user’s access to features in Fleet, and API-only users to help you create more automation pipelines.

Transferring hosts to a Team in Fleet 4.0.0

Spread the power of Fleet

Fleet is utilized at organizations with hundreds of thousands of devices. Our new Teams feature enables separating hosts into exclusive groups. This way, users can easily act on a consistent group of devices.

Having access to Fleet and…

What can we expect to see?

Osquery 4.9.0 is currently in pre-release, so let’s have a quick look at some of the new additions that we are hopefully in store for.

As always, for the complete list of changes, check out the osquery changelog and

New features

Add filesystem logrotate feature

For Windows users who don’t have a good alternative to osquery’s recommendation to logrotate, osquery 4.9.0 brings a basic logrotate feature for the --logger_plugin=filesystem filesystem plugin.

This feature is disabled by default because it will delete logs when rotation limits are exceeded, and also so as to avoid any possible conflicts if there is another logrotate function enabled. …

Human readable timestamps

Unix timestamps can be confusing for even the smartest Time Lord.

If you are anything like me, and unix timestamps leave you thinking about the mysterious numbers in Lost, you’re going to want to convert them into something more human friendly. Running your timestamp through any number of online converters is one way to go, but it’s a clunky process.

Fleet 3.13 is now available on GitHub and Docker Hub! 3.13 introduces improved performance of the additional queries feature, improvements to the fleetctl preview experience, and more.

For the complete summary of changes and release binaries check out the release notes on GitHub.

Improved performance of the additional queries feature

The additional queries feature in Fleet allows you to add host data to the response payload of the /hosts Fleet API endpoint. This feature is helpful when you want to grab specific host information straight from the Fleet API instead of your logging destination.

Connect network monitoring with endpoint monitoring.

This article was originally written by Zach Wasserman

Interested in correlating events from network monitoring tools to host activity? Support for Community ID hashing in osquery allows osquery’s endpoint instrumentation to be easily correlated with that of network monitors such as Zeek. Similar strategies can be used to correlate osquery logs with those from other tools that support Community ID. This includes Arkime (formerly Moloch), Suricata, and more.

Community ID

Community ID is a hash of the network connection parameters that allows a connection to be matched between monitoring solutions that support the hash.

To generate a Community ID, a hash is…

Using Elasticsearch and Kibana to visualize osquery performance

This article was originally written by Zach Wasserman

This article serves as a guide to building an osquery performance dashboard with Elasticsearch and Kibana.

Our goal is to build a dashboard like the one pictured below:

Fleet 3.12 is now available! 3.12 offers enhanced host vitals to see which queries are run on which devices, the ability to “refetch” host vitals to get authoritative answers about your devices on-demand, and several awesome contributions from the Fleet community.

For the complete summary of changes and release binaries check out the release notes on GitHub.

Which queries apply to a host

Rich process trees on macOS, Linux, and Windows

This article was originally written by Zach Wasserman

Using advanced SQL syntax, it is possible to generate process trees in osquery similar to those generated by the pstree utility. With osquery, the generated trees can be extended to include additional information that can aid analysis.

Below is the basic structure of the query:

WITH target_procs AS (
SELECT * FROM processes WHERE name = 'osqueryd'
WITH recursive parent_proc AS (
SELECT * FROM target_procs
SELECT p.* FROM processes p JOIN parent_proc pp ON = pp.parent
WHERE != pp.parent …

A simple query for IP-Geolocation

This article was originally written by Zach Wasserman

In the event of an emergency or public safety concern, osquery can be easily used to identify employees the direct vicinity, so that teams can push warnings or safety precautions to their staff.

This simple strategy for obtaining the location of an osquery device utilizes the API to retrieve the IP geolocation of the device. Note that the device must be able to connect to the internet over HTTP, and the calculated location may be skewed by VPN, proxies, etc.


SELECT JSON_EXTRACT(result, '$.ip') AS ip,
JSON_EXTRACT(result, '$.city') AS city,

Fleet Device Management

Open source endpoint visibility

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store