Import and export queries and packs in Fleet

Noah Talerman
Feb 16 · 3 min read
Image for post
Image for post

When managing multiple Fleet environments, you may want to move queries and/or packs from one environment to the other. Or, when inspired by a set of packs shared by a member of the osquery community, you might want to import these packs into your Fleet instance. To do this, you need to have access to a Unix shell and a basic knowledge of the fleetctl CLI tool.

Below are two example scenarios. For leaner instructions on how to move queries and packs from one Fleet environment to another, check out Fleet’s documentation.

Example scenario 1: Moving queries and packs from one Fleet environment to another

Let’s say you manage your organization’s staging and production Ubuntu servers. In order to keep your production servers speedy, you’ve set up two separate Fleet instances for the two environments: Staging and Production.

With this separation, you can diligently test your queries and packs in Staging without negatively impacting the performance on servers in Production.

On Friday, after test results come in, you want to move all performant packs from Staging to Production. You know you can open up the Fleet UI for Production and create the packs there manually, but each pack has at least 4 new queries. These packs and their respective queries already exist in Staging so you don’t need to spend time recreating each one in Production.

Here’s how you can quickly export and import the packs in 3 quick fleetctl commands:

1. Navigate to ~/.fleet/config to find the context names for your “exporter” and “importer” environment. For the purpose of these instructions, we use the context names staging and production respectively.

2. Run the command fleetctl get queries --yaml --context staging > queries.yml && fleetctl apply -f queries.yml --context production. This will import all the queries from your Staging Fleet instance into your Production Fleet instance. Note, this will also write a list of all queries in yaml syntax to a file names `queries.yml`.

3. Run the command fleetctl get packs --yaml --context staging > packs.yml && fleetctl apply -f packs.yml --context production. This will import all the packs from your Staging Fleet instance into your Production Fleet instance. Note, this will also write a list of all packs in yaml syntax to a file names `packs.yml`.

Note, when importing packs, you must always first import all the queries (step 2) that these packs contain.

Example scenario 2: Importing community packs into Fleet

You just found a collection of awesome queries and packs for Fleet and you want to import them into your Staging Fleet environment.

Here’s how you can do this in 2 quick fleetctl commands.

  1. Create a new file, awesome-packs.yml and paste in the desired packs and queries in the correct Fleet configuration format.

Could this post be more helpful?

Let us know if you can think of any other example scenarios you’d like us to cover.

Fleet Device Management

With great power comes great openness

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store