Welcome to the documentation for Fleet, the lightweight management platform for laptops and servers.
Can't find what you're looking for? Support
{{thisPage.title}}
On this page:
Fleet server configuration options update the internals of the Fleet server (MySQL database, Redis, etc.). Modifying these options requires restarting your Fleet server.
Only self-managed users and customers can modify this configuration. If you're a managed-cloud customer, please reach out to Fleet about modifying the configuration.
You can specify configuration options in the following formats:
s
, m
, h
.This section describes the configuration options for the primary. Suppose you also want to set up a read replica. In that case the options are the same, except that the YAML section is mysql_read_replica
, and the flags have the mysql_read_replica_
prefix instead of mysql_
(the corresponding environment variables follow the same transformation). Note that there is no default value for mysql_read_replica_address
, it must be set explicitly for Fleet to use a read replica, and it is recommended in that case to set a non-zero value for mysql_read_replica_conn_max_lifetime
as in some environments, the replica's address may dynamically change to point
from the primary to an actual distinct replica based on auto-scaling options, so existing idle connections need to be recycled
periodically.
For the address of the MySQL server that Fleet should connect to, include the hostname and port.
localhost:3306
FLEET_MYSQL_ADDRESS
mysql:
address: localhost:3306
This is the name of the MySQL database which Fleet will use.
fleet
FLEET_MYSQL_DATABASE
mysql:
database: fleet
The username to use when connecting to the MySQL instance.
fleet
FLEET_MYSQL_USERNAME
mysql:
username: fleet
The password to use when connecting to the MySQL instance.
fleet
FLEET_MYSQL_PASSWORD
mysql:
password: fleet
File path to a file that contains the password to use when connecting to the MySQL instance.
""
FLEET_MYSQL_PASSWORD_PATH
mysql:
password_path: '/run/secrets/fleetdm-mysql-password'
The path to a PEM encoded certificate of MYSQL's CA for client certificate authentication.
FLEET_MYSQL_TLS_CA
mysql:
tls_ca: /path/to/server-ca.pem
The path to a PEM encoded certificate is used for TLS authentication.
FLEET_MYSQL_TLS_CERT
mysql:
tls_cert: /path/to/certificate.pem
The path to a PEM encoded private key used for TLS authentication.
FLEET_MYSQL_TLS_KEY
mysql:
tls_key: /path/to/key.pem
The TLS value in an MYSQL DSN. Can be true
,false
,skip-verify
, or the CN value of the certificate.
FLEET_MYSQL_TLS_CONFIG
mysql:
tls_config: true
This is the server name or IP address used by the client certificate.
FLEET_MYSQL_TLS_SERVER_NAME
mysql:
server_name: 127.0.0.1
The maximum open connections to the database.
Default value: 50
Environment variable: FLEET_MYSQL_MAX_OPEN_CONNS
Config file format:
mysql:
max_open_conns: 50
Note: Fleet server uses SQL prepared statements, and the default setting of MySQL DB server's max_prepared_stmt_count may need to be adjusted for large deployments. This setting should be greater than or equal to:
FLEET_MYSQL_MAX_OPEN_CONNS * (max number of fleet servers) * 4
Fleet uses 3 prepared statements for authentication (used by Fleet API) + each database connection can be using 1 additional prepared statement.
The maximum idle connections to the database. This value should be equal to or less than mysql_max_open_conns
.
FLEET_MYSQL_MAX_IDLE_CONNS
mysql:
max_idle_conns: 50
The maximum amount of time, in seconds, a connection may be reused.
FLEET_MYSQL_CONN_MAX_LIFETIME
mysql:
conn_max_lifetime: 50
Sets the connection sql_mode
. See MySQL Reference for more details.
This setting should not usually be used.
""
FLEET_MYSQL_SQL_MODE
mysql:
sql_mode: ANSI
Note that to test a TLS connection to a Redis instance, run the
tlsconnect
Go program in tools/redis-tests
, e.g., from the root of the repository:
$ go run ./tools/redis-tests/tlsconnect.go -addr <redis_address> -cacert <redis_tls_ca> -cert <redis_tls_cert> -key <redis_tls_key>
# run `go run ./tools/redis-tests/tlsconnect.go -h` for the full list of supported flags
By default, this will set up a Redis pool for that configuration and execute a
PING
command with a TLS connection, printing any error it encounters.
For the address of the Redis server that Fleet should connect to, include the hostname and port.
localhost:6379
FLEET_REDIS_ADDRESS
redis:
address: 127.0.0.1:7369
The username to use when connecting to the Redis instance.
<empty>
FLEET_REDIS_USERNAME
redis:
username: foobar
The password to use when connecting to the Redis instance.
<empty>
FLEET_REDIS_PASSWORD
redis:
password: foobar
The database to use when connecting to the Redis instance.
0
FLEET_REDIS_DATABASE
redis:
database: 14
Use a TLS connection to the Redis server.
false
FLEET_REDIS_USE_TLS
redis:
use_tls: true
Whether or not to duplicate Live Query results to another Redis channel named LQDuplicate
. This is useful in a scenario involving shipping the Live Query results outside of Fleet, near real-time.
false
FLEET_REDIS_DUPLICATE_RESULTS
redis:
duplicate_results: true
Timeout for redis connection.
FLEET_REDIS_CONNECT_TIMEOUT
redis:
connect_timeout: 10s
The interval between keep-alive probes.
FLEET_REDIS_KEEP_ALIVE
redis:
keep_alive: 30s
The maximum number of attempts to retry a failed connection to a Redis node. Only certain types of errors are retried, such as connection timeouts.
FLEET_REDIS_CONNECT_RETRY_ATTEMPTS
redis:
connect_retry_attempts: 2
Whether or not to automatically follow redirection errors received from the Redis server. Applies only to Redis Cluster setups, ignored in standalone Redis. In Redis Cluster, keys can be moved around to different nodes when the cluster is unstable and reorganizing the data. With this configuration option set to true, those (typically short and transient) redirection errors can be handled transparently instead of ending in an error.
FLEET_REDIS_CLUSTER_FOLLOW_REDIRECTIONS
redis:
cluster_follow_redirections: true
Whether or not to prefer reading from a replica when possible. Applies only to Redis Cluster setups, ignored in standalone Redis.
FLEET_REDIS_CLUSTER_READ_FROM_REPLICA
redis:
cluster_read_from_replica: true
This is the path to a PEM-encoded certificate used for TLS authentication.
FLEET_REDIS_TLS_CERT
redis:
tls_cert: /path/to/certificate.pem
This is the path to a PEM-encoded private key used for TLS authentication.
FLEET_REDIS_TLS_KEY
redis:
tls_key: /path/to/key.pem
This is the path to a PEM-encoded certificate of Redis' CA for client certificate authentication.
FLEET_REDIS_TLS_CA
redis:
tls_ca: /path/to/server-ca.pem
The server name or IP address used by the client certificate.
FLEET_REDIS_TLS_SERVER_NAME
redis:
tls_server_name: 127.0.0.1
The timeout for the Redis TLS handshake part of the connection. A value of 0 means no timeout.
FLEET_REDIS_TLS_HANDSHAKE_TIMEOUT
redis:
tls_handshake_timeout: 10s
The maximum idle connections to Redis. This value should be equal to or less than redis_max_open_conns
.
FLEET_REDIS_MAX_IDLE_CONNS
redis:
max_idle_conns: 50
The maximum open connections to Redis. A value of 0 means no limit.
FLEET_REDIS_MAX_OPEN_CONNS
redis:
max_open_conns: 100
The maximum time a Redis connection may be reused. A value of 0 means no limit.
FLEET_REDIS_CONN_MAX_LIFETIME
redis:
conn_max_lifetime: 30m
The maximum time a Redis connection may stay idle. A value of 0 means no limit.
FLEET_REDIS_IDLE_TIMEOUT
redis:
idle_timeout: 5m
The maximum time to wait for a Redis connection if the max_open_conns limit is reached. A value of 0 means no wait.
FLEET_REDIS_CONN_WAIT_TIMEOUT
redis:
conn_wait_timeout: 1s
The maximum time to wait to receive a response from a Redis server. A value of 0 means no timeout.
FLEET_REDIS_READ_TIMEOUT
redis:
read_timeout: 5s
The maximum time to wait to send a command to a Redis server. A value of 0 means no timeout.
FLEET_REDIS_WRITE_TIMEOUT
redis:
write_timeout: 5s
The address to serve the Fleet webserver.
0.0.0.0:8080
FLEET_SERVER_ADDRESS
server:
address: 0.0.0.0:443
The TLS cert to use when terminating TLS.
See TLS certificate considerations for more information about certificates and Fleet.
./tools/osquery/fleet.crt
FLEET_SERVER_CERT
server:
cert: /tmp/fleet.crt
The TLS key to use when terminating TLS.
./tools/osquery/fleet.key
FLEET_SERVER_KEY
server:
key: /tmp/fleet.key
Whether or not the server should be served over TLS.
true
FLEET_SERVER_TLS
server:
tls: false
Configures the TLS settings for compatibility with various user agents. Options are modern
and intermediate
. These correspond to the compatibility levels defined by the Mozilla OpSec team (updated July 24, 2020).
intermediate
FLEET_SERVER_TLS_COMPATIBILITY
server:
tls_compatibility: intermediate
Sets a URL prefix to use when serving the Fleet API and frontend. Prefixes should be in the form /apps/fleet
(no trailing slash).
Note that some other configurations may need to be changed when modifying the URL prefix. In particular, URLs that are provided to osquery via flagfile, the configuration served by Fleet, the URL prefix used by fleetctl
, and the redirect URL set with an identity provider.
FLEET_SERVER_URL_PREFIX
server:
url_prefix: /apps/fleet
Controls the server side http keep alive property.
Turning off keepalives has helped reduce outstanding TCP connections in some deployments.
FLEET_SERVER_KEEPALIVE
server:
keepalive: true
Controls the servers websocket origin check. If your Fleet server is behind a reverse proxy,
the Origin header may not reflect the client's true origin. In this case, you might need to
disable the origin header (by setting this configuration to true
)
check or configure your reverse proxy to forward the correct Origin header.
Setting to true will disable the origin check.
FLEET_SERVER_WEBSOCKETS_ALLOW_UNSAFE_ORIGIN
server:
websockets_allow_unsafe_origin: true
This key is required for enabling macOS MDM features and/or storing sensitive configs (passwords, API keys, etc.) in Fleet. If you are using the FLEET_APPLE_APNS_*
and FLEET_APPLE_SCEP_*
variables, Fleet will automatically encrypt the values of those variables using FLEET_SERVER_PRIVATE_KEY
and save them in the database when you restart after updating.
The key must be at least 32 bytes long. Run openssl rand -base64 32
in the Terminal app to generate one on macOS.
server:
private_key: 72414F4A688151F75D032F5CDA095FC4
The bcrypt cost to use when hashing user passwords.
12
FLEET_AUTH_BCRYPT_COST
auth:
bcrypt_cost: 14
The key size of the salt which is generated when hashing user passwords.
Note: Fleet uses the
bcrypt
hashing algorithm for hashing passwords, which has a 72 character input limit. This means that the plaintext password (i.e. the password input by the user) length + the value ofauth_salt_key_size
cannot exceed 72. In the default case, the max length of a plaintext password is 48 (72 - 24).
24
FLEET_AUTH_SALT_KEY_SIZE
auth:
salt_key_size: 36
Size of generated app tokens.
24
FLEET_APP_TOKEN_KEY_SIZE
app:
token_key_size: 36
How long invite tokens should be valid for.
5 days
FLEET_APP_INVITE_TOKEN_VALIDITY_PERIOD
app:
invite_token_validity_period: 1d
Determines whether Fleet collects performance impact statistics for scheduled queries.
If set to false
, stats are still collected for live queries.
true
FLEET_APP_ENABLE_SCHEDULED_QUERY_STATS
app:
enable_scheduled_query_stats: true
The license key provided to Fleet customers which provides access to Fleet Premium features.
FLEET_LICENSE_KEY
license:
key: foobar
The size of the session key.
64
FLEET_SESSION_KEY_SIZE
session:
key_size: 48
This is the amount of time that a session should last. Whenever a user logs in, the time is reset to the specified, or default, duration.
Valid time units are s
, m
, h
.
5d
(5 days)FLEET_SESSION_DURATION
session:
duration: 4h
The size of the node key which is negotiated with osqueryd
clients.
24
FLEET_OSQUERY_NODE_KEY_SIZE
osquery:
node_key_size: 36
The identifier to use when determining uniqueness of hosts.
Options are provided
(default), uuid
, hostname
, or instance
.
This setting works in combination with the --host_identifier
flag in osquery. In most deployments, using uuid
will be the best option. The flag defaults to provided
-- preserving the existing behavior of Fleet's handling of host identifiers -- using the identifier provided by osquery. instance
, uuid
, and hostname
correspond to the same meanings as osquery's --host_identifier
flag.
Users that have duplicate UUIDs in their environment can benefit from setting this flag to instance
.
If you are enrolling your hosts using Fleet generated packages, it is reccommended to use
uuid
as your indentifier. This prevents potential issues with duplicate host enrollments.
provided
FLEET_OSQUERY_HOST_IDENTIFIER
osquery:
host_identifier: uuid
The cooldown period for host enrollment. If a host (uniquely identified by the osquery_host_identifier
option) tries to enroll within this duration from the last enrollment, enroll will fail.
This flag can be used to control load on the database in scenarios in which many hosts are using the same identifier. Often configuring osquery_host_identifier
to instance
may be a better solution.
0
(off)FLEET_OSQUERY_ENROLL_COOLDOWN
osquery:
enroll_cooldown: 1m
The interval at which Fleet will ask Fleet's agent (fleetd) to update results for label queries.
Setting this to a higher value can reduce baseline load on the Fleet server in larger deployments.
Setting this to a lower value can increase baseline load significantly and cause performance issues or even outages. Proceed with caution.
Valid time units are s
, m
, h
.
1h
FLEET_OSQUERY_LABEL_UPDATE_INTERVAL
osquery:
label_update_interval: 90m
The interval at which Fleet will ask Fleet's agent (fleetd) to update results for policy queries.
Setting this to a higher value can reduce baseline load on the Fleet server in larger deployments.
Setting this to a lower value can increase baseline load significantly and cause performance issues or even outages. Proceed with caution.
Valid time units are s
, m
, h
.
1h
FLEET_OSQUERY_POLICY_UPDATE_INTERVAL
osquery:
policy_update_interval: 90m
The interval at which Fleet will ask Fleet's agent (fleetd) to update host details (such as uptime, hostname, network interfaces, etc.)
Setting this to a higher value can reduce baseline load on the Fleet server in larger deployments.
Setting this to a lower value can increase baseline load significantly and cause performance issues or even outages. Proceed with caution.
Valid time units are s
, m
, h
.
1h
FLEET_OSQUERY_DETAIL_UPDATE_INTERVAL
osquery:
detail_update_interval: 90m
This is the log output plugin that should be used for osquery status logs received from clients. Check out the reference documentation for log destinations.
Options are filesystem
, firehose
, kinesis
, lambda
, pubsub
, kafkarest
, and stdout
.
filesystem
FLEET_OSQUERY_STATUS_LOG_PLUGIN
osquery:
status_log_plugin: firehose
This is the log output plugin that should be used for osquery result logs received from clients. Check out the reference documentation for log destinations.
Options are filesystem
, firehose
, kinesis
, lambda
, pubsub
, kafkarest
, and stdout
.
filesystem
FLEET_OSQUERY_RESULT_LOG_PLUGIN
osquery:
result_log_plugin: firehose
Given an update interval (label, or details), this will add up to the defined percentage in randomness to the interval.
The goal of this is to prevent all hosts from checking in with data at the same time.
So for example, if the label_update_interval is 1h, and this is set to 10. It'll add up a random number between 0 and 6 minutes to the amount of time it takes for Fleet to give the host the label queries.
10
FLEET_OSQUERY_MAX_JITTER_PERCENT
osquery:
max_jitter_percent: 10
Experimental feature. Enable asynchronous processing of hosts' query results. Currently, asyncronous processing is only supported for label query execution, policy membership results, hosts' last seen timestamp, and hosts' scheduled query statistics. This may improve the performance and CPU usage of the Fleet instances and MySQL database servers for setups with a large number of hosts while requiring more resources from Redis server(s).
Note that currently, if both the failing policies webhook and this osquery.enable_async_host_processing
option are set, some failing policies webhooks could be missing (some transitions from succeeding to failing or vice-versa could happen without triggering a webhook request).
It can be set to a single boolean value ("true" or "false"), which controls all async host processing tasks, or it can be set for specific async tasks using a syntax similar to an URL query string or parameters in a Data Source Name (DSN) string, e.g., "label_membership=true&policy_membership=true". When using the per-task syntax, omitted tasks get the default value. The supported async task names are:
label_membership
for updating the hosts' label query execution;policy_membership
for updating the hosts' policy membership results;host_last_seen
for updating the hosts' last seen timestamp.scheduled_query_stats
for saving the hosts' scheduled query statistics.FLEET_OSQUERY_ENABLE_ASYNC_HOST_PROCESSING
osquery:
enable_async_host_processing: true
Fleet tested this option for
policy_membership=true
in this issue and found that it does not impact the performance or behavior of the app.
Applies only when osquery_enable_async_host_processing
is enabled. Sets the interval at which the host data will be collected into the database. Each Fleet instance will attempt to do the collection at this interval (with some optional jitter added, see osquery_async_host_collect_max_jitter_percent
), with only one succeeding to get the exclusive lock.
It can be set to a single duration value (e.g., "30s"), which defines the interval for all async host processing tasks, or it can be set for specific async tasks using a syntax similar to an URL query string or parameters in a Data Source Name (DSN) string, e.g., "label_membership=10s&policy_membership=1m". When using the per-task syntax, omitted tasks get the default value. See osquery_enable_async_host_processing for the supported async task names.
FLEET_OSQUERY_ASYNC_HOST_COLLECT_INTERVAL
osquery:
async_host_collect_interval: 1m
Applies only when osquery_enable_async_host_processing
is enabled. A number interpreted as a percentage of osquery_async_host_collect_interval
to add to (or remove from) the interval so that not all hosts try to do the collection at the same time.
FLEET_OSQUERY_ASYNC_HOST_COLLECT_MAX_JITTER_PERCENT
osquery:
async_host_collect_max_jitter_percent: 5
Applies only when osquery_enable_async_host_processing
is enabled. Timeout of the lock acquired by a Fleet instance to collect host data into the database. If the collection runs for too long or the instance crashes unexpectedly, the lock will be automatically released after this duration and another Fleet instance can proceed with the next collection.
It can be set to a single duration value (e.g., "1m"), which defines the lock timeout for all async host processing tasks, or it can be set for specific async tasks using a syntax similar to an URL query string or parameters in a Data Source Name (DSN) string, e.g., "label_membership=2m&policy_membership=5m". When using the per-task syntax, omitted tasks get the default value. See osquery_enable_async_host_processing for the supported async task names.
FLEET_OSQUERY_ASYNC_HOST_COLLECT_LOCK_TIMEOUT
osquery:
async_host_collect_lock_timeout: 5m
Applies only when osquery_enable_async_host_processing
is enabled. Interval at which the host collection statistics are logged, 0 to disable logging of statistics. Note that logging is done at the "debug" level.
FLEET_OSQUERY_ASYNC_HOST_COLLECT_LOG_STATS_INTERVAL
osquery:
async_host_collect_log_stats_interval: 5m
Applies only when osquery_enable_async_host_processing
is enabled. Size of the INSERT batch when collecting host data into the database.
FLEET_OSQUERY_ASYNC_HOST_INSERT_BATCH
osquery:
async_host_insert_batch: 1000
Applies only when osquery_enable_async_host_processing
is enabled. Size of the DELETE batch when collecting host data into the database.
FLEET_OSQUERY_ASYNC_HOST_DELETE_BATCH
osquery:
async_host_delete_batch: 1000
Applies only when osquery_enable_async_host_processing
is enabled. Size of the UPDATE batch when collecting host data into the database.
FLEET_OSQUERY_ASYNC_HOST_UPDATE_BATCH
osquery:
async_host_update_batch: 500
Applies only when osquery_enable_async_host_processing
is enabled. Maximum number of items to pop from a redis key at a time when collecting host data into the database.
FLEET_OSQUERY_ASYNC_HOST_REDIS_POP_COUNT
osquery:
async_host_redis_pop_count: 500
Applies only when osquery_enable_async_host_processing
is enabled. Order of magnitude (e.g., 10, 100, 1000, etc.) of set members to scan in a single ZSCAN/SSCAN request for items to process when collecting host data into the database.
FLEET_OSQUERY_ASYNC_HOST_REDIS_SCAN_KEYS_COUNT
osquery:
async_host_redis_scan_keys_count: 100
The minimum time difference between the software's "last opened at" timestamp reported by osquery and the last timestamp saved for that software on that host helps minimize the number of updates required when a host reports its installed software information, resulting in less load on the database. If there is no existing timestamp for the software on that host (or if the software was not installed on that host previously), the new timestamp is automatically saved.
FLEET_OSQUERY_MIN_SOFTWARE_LAST_OPENED_AT_DIFF
osquery:
min_software_last_opened_at_diff: 4h
Applies only to Fleet Premium. Activity information is available for all Fleet instances using the Activities API.
Stream Fleet user activities to logs using Fleet's logging plugins. The audit events are logged in an asynchronous fashion. It can take up to 5 minutes for an event to be logged.
This enables/disables the log output for audit events.
See the activity_audit_log_plugin
option below that specifies the logging destination.
false
FLEET_ACTIVITY_ENABLE_AUDIT_LOG
activity:
enable_audit_log: true
This is the log output plugin that should be used for audit logs.
This flag only has effect if activity_enable_audit_log
is set to true
.
Each plugin has additional configuration options. Please see the configuration section linked below for your logging plugin.
Options are filesystem
, firehose
, kinesis
, lambda
, pubsub
, kafkarest
, and stdout
(no additional configuration needed).
filesystem
FLEET_ACTIVITY_AUDIT_LOG_PLUGIN
activity:
audit_log_plugin: firehose
Whether or not to enable debug logging.
false
FLEET_LOGGING_DEBUG
logging:
debug: true
Whether or not to log in JSON.
false
FLEET_LOGGING_JSON
logging:
json: true
Whether or not to log the welcome banner.
false
FLEET_LOGGING_DISABLE_BANNER
logging:
disable_banner: true
The amount of time to keep an error. Unique instances of errors are stored temporarily to help with troubleshooting, this setting controls that duration. Set to 0 to keep them without expiration, and a negative value to disable storage of errors in Redis.
FLEET_LOGGING_ERROR_RETENTION_PERIOD
logging:
error_retention_period: 1h
This flag only has effect if osquery_status_log_plugin
is set to filesystem
(the default value).
The path which osquery status logs will be logged to.
/tmp/osquery_status
FLEET_FILESYSTEM_STATUS_LOG_FILE
filesystem:
status_log_file: /var/log/osquery/status.log
This flag only has effect if osquery_result_log_plugin
is set to filesystem
(the default value).
The path which osquery result logs will be logged to.
/tmp/osquery_result
FLEET_FILESYSTEM_RESULT_LOG_FILE
filesystem:
result_log_file: /var/log/osquery/result.log
This flag only has effect if activity_audit_log_plugin
is set to filesystem
(the default value) and if activity_enable_audit_log
is set to true
.
The path which audit logs will be logged to.
/tmp/audit
FLEET_FILESYSTEM_AUDIT_LOG_FILE
filesystem:
audit_log_file: /var/log/fleet/audit.log
This flag only has effect if one of the following is true:
osquery_result_log_plugin
or osquery_status_log_plugin
are set to filesystem
(the default value).activity_audit_log_plugin
is set to filesystem
and activity_enable_audit_log
is set to true
.This flag will cause the osquery result and status log files to be automatically rotated when files reach a size of 500 MB or an age of 28 days.
false
FLEET_FILESYSTEM_ENABLE_LOG_ROTATION
filesystem:
enable_log_rotation: true
This flag only has effect if filesystem_enable_log_rotation
is set to true
.
This flag will cause the rotated logs to be compressed with gzip.
false
FLEET_FILESYSTEM_ENABLE_LOG_COMPRESSION
filesystem:
enable_log_compression: true
This flag only has effect if filesystem_enable_log_rotation
is set to true
.
Sets the maximum size in megabytes of log files before it gets rotated.
500
FLEET_FILESYSTEM_MAX_SIZE
filesystem:
max_size: 100
This flag only has effect if filesystem_enable_log_rotation
is set to true
.
Sets the maximum age in days to retain old log files before deletion. Setting this to zero will retain all logs.
28
FLEET_FILESYSTEM_MAX_AGE
filesystem:
max_age: 0
This flag only has effect if filesystem_enable_log_rotation
is set to true
.
Sets the maximum number of old files to retain before deletion. Setting this to zero will retain all logs. Note max_age may still cause them to be deleted.
3
FLEET_FILESYSTEM_MAX_BACKUPS
filesystem:
max_backups: 0
This flag only has effect if one of the following is true:
osquery_result_log_plugin
or osquery_status_log_plugin
are set to firehose
.activity_audit_log_plugin
is set to firehose
and activity_enable_audit_log
is set to true
.AWS region to use for Firehose connection.
FLEET_FIREHOSE_REGION
firehose:
region: ca-central-1
This flag only has effect if one of the following is true:
osquery_result_log_plugin
or osquery_status_log_plugin
are set to firehose
.activity_audit_log_plugin
is set to firehose
and activity_enable_audit_log
is set to true
.If firehose_access_key_id
and firehose_secret_access_key
are omitted, Fleet will try to use AWS STS credentials.
AWS access key ID to use for Firehose authentication.
FLEET_FIREHOSE_ACCESS_KEY_ID
firehose:
access_key_id: AKIAIOSFODNN7EXAMPLE
This flag only has effect if one of the following is true:
osquery_result_log_plugin
or osquery_status_log_plugin
are set to firehose
.activity_audit_log_plugin
is set to firehose
and activity_enable_audit_log
is set to true
.AWS secret access key to use for Firehose authentication.
FLEET_FIREHOSE_SECRET_ACCESS_KEY
firehose:
secret_access_key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
This flag only has effect if one of the following is true:
osquery_result_log_plugin
or osquery_status_log_plugin
are set to firehose
.activity_audit_log_plugin
is set to firehose
and activity_enable_audit_log
is set to true
.AWS STS role ARN to use for Firehose authentication.
FLEET_FIREHOSE_STS_ASSUME_ROLE_ARN
firehose:
sts_assume_role_arn: arn:aws:iam::1234567890:role/firehose-role
This flag only has effect if one of the following is true:
osquery_result_log_plugin
or osquery_status_log_plugin
are set to firehose
.activity_audit_log_plugin
is set to firehose
and activity_enable_audit_log
is set to true
.AWS STS External ID to use for Firehose authentication. This is typically used in conjunction with an STS role ARN to ensure that only the intended AWS account can assume the role.
FLEET_FIREHOSE_STS_EXTERNAL_ID
firehose:
sts_external_id: your_unique_id
This flag only has effect if osquery_status_log_plugin
is set to firehose
.
Name of the Firehose stream to write osquery status logs received from clients.
FLEET_FIREHOSE_STATUS_STREAM
firehose:
status_stream: osquery_status
The IAM role used to send to Firehose must allow the following permissions on the stream listed:
firehose:DescribeDeliveryStream
firehose:PutRecordBatch
This flag only has effect if osquery_result_log_plugin
is set to firehose
.
Name of the Firehose stream to write osquery result logs received from clients.
FLEET_FIREHOSE_RESULT_STREAM
firehose:
result_stream: osquery_result
The IAM role used to send to Firehose must allow the following permissions on the stream listed:
firehose:DescribeDeliveryStream
firehose:PutRecordBatch
This flag only has effect if activity_audit_log_plugin
is set to firehose
.
Name of the Firehose stream to audit logs.
FLEET_FIREHOSE_AUDIT_STREAM
firehose:
audit_stream: fleet_audit
The IAM role used to send to Firehose must allow the following permissions on the stream listed:
firehose:DescribeDeliveryStream
firehose:PutRecordBatch
This flag only has effect if one of the following is true:
osquery_result_log_plugin
or osquery_status_log_plugin
are set to kinesis
.activity_audit_log_plugin
is set to kinesis
and activity_enable_audit_log
is set to true
.AWS region to use for Kinesis connection
FLEET_KINESIS_REGION
kinesis:
region: ca-central-1
This flag only has effect if one of the following is true:
osquery_result_log_plugin
or osquery_status_log_plugin
are set to kinesis
.activity_audit_log_plugin
is set to kinesis
and activity_enable_audit_log
is set to true
.If kinesis_access_key_id
and kinesis_secret_access_key
are omitted, Fleet
will try to use
AWS STS
credentials.
AWS access key ID to use for Kinesis authentication.
FLEET_KINESIS_ACCESS_KEY_ID
kinesis:
access_key_id: AKIAIOSFODNN7EXAMPLE
This flag only has effect if one of the following is true:
osquery_result_log_plugin
or osquery_status_log_plugin
are set to kinesis
.activity_audit_log_plugin
is set to kinesis
and activity_enable_audit_log
is set to true
.AWS secret access key to use for Kinesis authentication.
FLEET_KINESIS_SECRET_ACCESS_KEY
kinesis:
secret_access_key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
This flag only has effect if one of the following is true:
osquery_result_log_plugin
or osquery_status_log_plugin
are set to kinesis
.activity_audit_log_plugin
is set to kinesis
and activity_enable_audit_log
is set to true
.AWS STS role ARN to use for Kinesis authentication.
FLEET_KINESIS_STS_ASSUME_ROLE_ARN
kinesis:
sts_assume_role_arn: arn:aws:iam::1234567890:role/kinesis-role
This flag only has effect if one of the following is true:
osquery_result_log_plugin
or osquery_status_log_plugin
are set to kinesis
.activity_audit_log_plugin
is set to kinesis
and activity_enable_audit_log
is set to true
.AWS STS External ID to use for Kinesis authentication. This is typically used in conjunction with an STS role ARN to ensure that only the intended AWS account can assume the role.
FLEET_KINESIS_STS_EXTERNAL_ID
kinesis:
sts_external_id: your_unique_id
This flag only has effect if osquery_status_log_plugin
is set to kinesis
.
Name of the Kinesis stream to write osquery status logs received from clients.
FLEET_KINESIS_STATUS_STREAM
kinesis:
status_stream: osquery_status
The IAM role used to send to Kinesis must allow the following permissions on the stream listed:
kinesis:DescribeStream
kinesis:PutRecords
This flag only has effect if osquery_result_log_plugin
is set to kinesis
.
Name of the Kinesis stream to write osquery result logs received from clients.
FLEET_KINESIS_RESULT_STREAM
kinesis:
result_stream: osquery_result
The IAM role used to send to Kinesis must allow the following permissions on the stream listed:
kinesis:DescribeStream
kinesis:PutRecords
This flag only has effect if activity_audit_log_plugin
is set to kinesis
.
Name of the Kinesis stream to write audit logs.
FLEET_KINESIS_AUDIT_STREAM
kinesis:
audit_stream: fleet_audit
The IAM role used to send to Kinesis must allow the following permissions on the stream listed:
kinesis:DescribeStream
kinesis:PutRecords
This flag only has effect if one of the following is true:
osquery_result_log_plugin
or osquery_status_log_plugin
are set to lambda
.activity_audit_log_plugin
is set to lambda
and activity_enable_audit_log
is set to true
.AWS region to use for Lambda connection.
FLEET_LAMBDA_REGION
lambda:
region: ca-central-1
This flag only has effect if one of the following is true:
osquery_result_log_plugin
or osquery_status_log_plugin
are set to lambda
.activity_audit_log_plugin
is set to lambda
and activity_enable_audit_log
is set to true
.If lambda_access_key_id
and lambda_secret_access_key
are omitted, Fleet
will try to use
AWS STS
credentials.
AWS access key ID to use for Lambda authentication.
FLEET_LAMBDA_ACCESS_KEY_ID
lambda:
access_key_id: AKIAIOSFODNN7EXAMPLE
This flag only has effect if one of the following is true:
osquery_result_log_plugin
or osquery_status_log_plugin
are set to lambda
.activity_audit_log_plugin
is set to lambda
and activity_enable_audit_log
is set to true
.AWS secret access key to use for Lambda authentication.
FLEET_LAMBDA_SECRET_ACCESS_KEY
lambda:
secret_access_key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
This flag only has effect if one of the following is true:
osquery_result_log_plugin
or osquery_status_log_plugin
are set to lambda
.activity_audit_log_plugin
is set to lambda
and activity_enable_audit_log
is set to true
.AWS STS role ARN to use for Lambda authentication.
FLEET_LAMBDA_STS_ASSUME_ROLE_ARN
lambda:
sts_assume_role_arn: arn:aws:iam::1234567890:role/lambda-role
This flag only has effect if one of the following is true:
osquery_result_log_plugin
or osquery_status_log_plugin
are set to lambda
.activity_audit_log_plugin
is set to lambda
and activity_enable_audit_log
is set to true
.AWS STS External ID to use for Lambda authentication. This is typically used in conjunction with an STS role ARN to ensure that only the intended AWS account can assume the role.
FLEET_LAMBDA_STS_EXTERNAL_ID
lambda:
sts_external_id: your_unique_id
This flag only has effect if osquery_status_log_plugin
is set to lambda
.
Name of the Lambda function to write osquery status logs received from clients.
FLEET_LAMBDA_STATUS_FUNCTION
lambda:
status_function: statusFunction
The IAM role used to send to Lambda must allow the following permissions on the function listed:
lambda:InvokeFunction
This flag only has effect if osquery_result_log_plugin
is set to lambda
.
Name of the Lambda function to write osquery result logs received from clients.
FLEET_LAMBDA_RESULT_FUNCTION
lambda:
result_function: resultFunction
The IAM role used to send to Lambda must allow the following permissions on the function listed:
lambda:InvokeFunction
This flag only has effect if activity_audit_log_plugin
is set to lambda
.
Name of the Lambda function to write audit logs.
FLEET_LAMBDA_AUDIT_FUNCTION
lambda:
audit_function: auditFunction
The IAM role used to send to Lambda must allow the following permissions on the function listed:
lambda:InvokeFunction
This flag only has effect if one of the following is true:
osquery_result_log_plugin
or osquery_status_log_plugin
are set to pubsub
.activity_audit_log_plugin
is set to pubsub
and activity_enable_audit_log
is set to true
.The identifier of the Google Cloud project containing the pubsub topics to publish logs to.
Note that the pubsub plugin uses Application Default Credentials (ADCs) for authentication with the service.
FLEET_PUBSUB_PROJECT
pubsub:
project: my-gcp-project
This flag only has effect if osquery_result_log_plugin
is set to pubsub
.
The identifier of the pubsub topic that client results will be published to.
FLEET_PUBSUB_RESULT_TOPIC
pubsub:
result_topic: osquery_result
This flag only has effect if osquery_status_log_plugin
is set to pubsub
.
The identifier of the pubsub topic that osquery status logs will be published to.
FLEET_PUBSUB_STATUS_TOPIC
pubsub:
status_topic: osquery_status
This flag only has effect if osquery_audit_log_plugin
is set to pubsub
.
The identifier of the pubsub topic that client results will be published to.
FLEET_PUBSUB_AUDIT_TOPIC
pubsub:
audit_topic: fleet_audit
This flag only has effect if osquery_status_log_plugin
is set to pubsub
.
Add Pub/Sub attributes to messages. When enabled, the plugin parses the osquery result messages, and adds the following Pub/Sub message attributes:
name
- the name
attribute from the message bodytimestamp
- the unixTime
attribute from the message body, converted to rfc3339 formatThis feature is useful when combined with subscription filters.
FLEET_PUBSUB_ADD_ATTRIBUTES
pubsub:
add_attributes: true
This flag only has effect if one of the following is true:
osquery_result_log_plugin
or osquery_status_log_plugin
are set to kafkarest
.activity_audit_log_plugin
is set to kafkarest
and activity_enable_audit_log
is set to true
.The URL of the host which to check for the topic existence and post messages to the specified topic.
FLEET_KAFKAREST_PROXYHOST
kafkarest:
proxyhost: "https://localhost:8443"
This flag only has effect if osquery_status_log_plugin
is set to kafkarest
.
The identifier of the kafka topic that osquery status logs will be published to.
FLEET_KAFKAREST_STATUS_TOPIC
kafkarest:
status_topic: osquery_status
This flag only has effect if osquery_result_log_plugin
is set to kafkarest
.
The identifier of the kafka topic that osquery result logs will be published to.
FLEET_KAFKAREST_RESULT_TOPIC
kafkarest:
result_topic: osquery_result
This flag only has effect if osquery_audit_log_plugin
is set to kafkarest
.
The identifier of the kafka topic that audit logs will be published to.
FLEET_KAFKAREST_AUDIT_TOPIC
kafkarest:
audit_topic: fleet_audit
This flag only has effect if one of the following is true:
osquery_result_log_plugin
or osquery_status_log_plugin
are set to kafkarest
.activity_audit_log_plugin
is set to kafkarest
and activity_enable_audit_log
is set to true
.The timeout value for the http post attempt. Value is in units of seconds.
FLEET_KAFKAREST_TIMEOUT
kafkarest:
timeout: 5
This flag only has effect if one of the following is true:
osquery_result_log_plugin
or osquery_status_log_plugin
are set to kafkarest
.activity_audit_log_plugin
is set to kafkarest
and activity_enable_audit_log
is set to true
.The value of the Content-Type header to use in Kafka REST Proxy API calls. More information about available versions can be found here. Note: only JSON format is supported
FLEET_KAFKAREST_CONTENT_TYPE_VALUE
kafkarest:
content_type_value: application/vnd.kafka.json.v2+json
By default, the SMTP backend is enabled and no additional configuration is required on the server settings. You can configure SMTP through the Fleet console UI. However, you can also configure Fleet to use AWS SES natively rather than through SMTP.
A configured email backend is required for sending user invites, resetting passwords, verifying user email address changes, and multi-factor authentication within Fleet (without using an SSO identity provider).
Enable SES support for Fleet. You must also configure the ses configurations such as ses.source_arn
email:
backend: ses
The following configurations only have an effect if SES email backend is enabled FLEET_EMAIL_BACKEND=ses
.
This flag only has effect if email.backend
or FLEET_EMAIL_BACKEND
is set to ses
.
AWS region to use for SES connection.
FLEET_SES_REGION
ses:
region: us-east-2
This flag only has effect if email.backend
or FLEET_EMAIL_BACKEND
is set to ses
.
If ses_access_key_id
and ses_secret_access_key
are omitted, Fleet
will try to use
AWS STS
credentials.
AWS access key ID to use for Lambda authentication.
FLEET_SES_ACCESS_KEY_ID
ses:
access_key_id: AKIAIOSFODNN7EXAMPLE
This flag only has effect if email.backend
or FLEET_EMAIL_BACKEND
is set to ses
.
If ses_access_key_id
and ses_secret_access_key
are omitted, Fleet
will try to use
AWS STS
credentials.
AWS secret access key to use for SES authentication.
FLEET_SES_SECRET_ACCESS_KEY
ses:
secret_access_key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
This flag only has effect if email.backend
or FLEET_EMAIL_BACKEND
is set to ses
.
AWS STS role ARN to use for SES authentication.
FLEET_SES_STS_ASSUME_ROLE_ARN
ses:
sts_assume_role_arn: arn:aws:iam::1234567890:role/ses-role
This flag only has effect if email.backend
or FLEET_EMAIL_BACKEND
is set to ses
.
AWS STS External ID to use for SES authentication. This is typically used in conjunction with an STS role ARN to ensure that only the intended AWS account can assume the role.
FLEET_SES_STS_EXTERNAL_ID
ses:
sts_external_id: your_unique_id
This flag only has effect if email.backend
or FLEET_EMAIL_BACKEND
is set to ses
. This configuration is
required when using the SES email backend.
The ARN of the identity that is associated with the sending authorization policy that permits you to send for the email address specified in the Source parameter of SendRawEmail.
FLEET_SES_SOURCE_ARN
ses:
sts_assume_role_arn: arn:aws:iam::1234567890:role/ses-role
Name of the S3 bucket for storing software and bootstrap package.
FLEET_S3_SOFTWARE_INSTALLERS_BUCKET
s3:
software_intallers_bucket: some-bucket
Prefix to prepend to software.
FLEET_S3_SOFTWARE_INSTALLERS_PREFIX
s3:
software_intallers_prefix: prefix-here/
AWS access key ID to use for S3 authentication.
If s3_access_key_id
and s3_secret_access_key
are omitted, Fleet will try to use
the default credential provider chain.
The IAM identity used in this context must be allowed to perform the following actions on the bucket: s3:PutObject
, s3:GetObject
, s3:ListMultipartUploadParts
, s3:ListBucket
, s3:GetBucketLocation
.
FLEET_S3_SOFTWARE_INSTALLERS_ACCESS_KEY_ID
s3:
software_intallers_access_key_id: AKIAIOSFODNN7EXAMPLE
AWS secret access key to use for S3 authentication.
FLEET_S3_SOFTWARE_INSTALLERS_SECRET_ACCESS_KEY
s3:
software_intallers_secret_access_key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
AWS STS role ARN to use for S3 authentication.
FLEET_S3_SOFTWARE_INSTALLERS_STS_ASSUME_ROLE_ARN
s3:
software_intallers_sts_assume_role_arn: arn:aws:iam::1234567890:role/some-s3-role
AWS STS External ID to use for S3 authentication. This is typically used in conjunction with an STS role ARN to ensure that only the intended AWS account can assume the role.
FLEET_S3_SOFTWARE_INSTALLERS_STS_EXTERNAL_ID
s3:
software_intallers_sts_external_id: your_unique_id
AWS S3 Endpoint URL. Override when using a different S3 compatible object storage backend (such as Minio), or running S3 locally with localstack. Leave this blank to use the default S3 service endpoint.
FLEET_S3_SOFTWARE_INSTALLERS_ENDPOINT_URL
s3:
software_intallers_endpoint_url: http://localhost:9000
AWS S3 Force S3 Path Style. Set this to true
to force the request to use path-style addressing,
i.e., http://s3.amazonaws.com/BUCKET/KEY
. By default, the S3 client
will use virtual hosted bucket addressing when possible
(http://BUCKET.s3.amazonaws.com/KEY
).
See here for details.
FLEET_S3_SOFTWARE_INSTALLERS_FORCE_S3_PATH_STYLE
s3:
software_intallers_force_s3_path_style: false
AWS S3 Region. Leave blank to enable region discovery.
Minio users must set this to any nonempty value (eg. minio
), as Minio does not support region discovery.
FLEET_S3_SOFTWARE_INSTALLERS_REGION
s3:
software_intallers_region: us-east-1
Name of the S3 bucket for file carves.
FLEET_S3_CARVES_BUCKET
s3:
carves_bucket: some-bucket
All carve objects will also be prefixed by date and hour (UTC), making the resulting keys look like: <prefix><year>/<month>/<day>/<hour>/<carve-name>
.
FLEET_S3_CARVES_PREFIX
s3:
carves_prefix: prefix-here/
FLEET_S3_CARVES_ACCESS_KEY_ID
s3:
carves_access_key_id: AKIAIOSFODNN7EXAMPLE
FLEET_S3_CARVES_SECRET_ACCESS_KEY
s3:
carves_secret_access_key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
FLEET_S3_CARVES_STS_ASSUME_ROLE_ARN
s3:
carves_sts_assume_role_arn: arn:aws:iam::1234567890:role/some-s3-role
FLEET_S3_CARVES_STS_EXTERNAL_ID
s3:
carves_sts_external_id: your_unique_id
FLEET_S3_CARVES_ENDPOINT_URL
s3:
carves_endpoint_url: http://localhost:9000
FLEET_S3_CARVES_FORCE_S3_PATH_STYLE
s3:
carves_force_s3_path_style: false
FLEET_S3_CARVES_REGION
s3:
carves_region: us-east-1
If set then fleet serve
will run even if there are database migrations missing.
false
FLEET_UPGRADES_ALLOW_MISSING_MIGRATIONS
upgrades:
allow_missing_migrations: true
The path specified needs to exist and Fleet needs to be able to read and write to and from it. This is the only mandatory configuration needed for vulnerability processing to work.
When disable_schedule
is set to false
(the default), Fleet instances will try to create the databases_path
if it doesn't exist.
/tmp/vulndbs
FLEET_VULNERABILITIES_DATABASES_PATH
vulnerabilities:
databases_path: /some/path
How often vulnerabilities are checked. This is also the interval at which the counts of hosts per software is calculated.
1h
FLEET_VULNERABILITIES_PERIODICITY
vulnerabilities:
periodicity: 1h
You can fetch the CPE dictionary database from this URL. Some users want to control where Fleet gets its database. When Fleet sees this value defined, it downloads the file directly. It expects a file in the same format that can be found in https://github.com/fleetdm/nvd/releases. If this value is not defined, Fleet checks for the latest release in Github and only downloads it if needed.
""
FLEET_VULNERABILITIES_CPE_DATABASE_URL
vulnerabilities:
cpe_database_url: ""
You can fetch the CPE translations from this URL. Translations are used when matching software to CPE entries in the CPE database that would otherwise be missed for various reasons. When Fleet sees this value defined, it downloads the file directly. It expects a file in the same format that can be found in https://github.com/fleetdm/nvd/releases. If this value is not defined, Fleet checks for the latest release in Github and only downloads it if needed.
""
FLEET_VULNERABILITIES_CPE_TRANSLATIONS_URL
vulnerabilities:
cpe_translations_url: ""
Like the CPE dictionary, we allow users to define where to get the legacy CVE feeds from.
In this case, the URL should be a host that serves the files in the legacy feed format.
Fleet expects to find all the GZ and META files that can be found in https://nvd.nist.gov/vuln/data-feeds#JSON_FEED.
For example: FLEET_VULNERABILITIES_CVE_FEED_PREFIX_URL
+ /nvdcve-1.1-2002.meta
When not defined, Fleet downloads CVE information from the nvd.nist.gov host using the NVD 2.0 API.
""
FLEET_VULNERABILITIES_CVE_FEED_PREFIX_URL
vulnerabilities:
cve_feed_prefix_url: ""
When running multiple instances of the Fleet server, by default, one of them dynamically takes the lead in vulnerability processing. This lead can change over time. Some Fleet users want to be able to define which deployment is doing this checking. If you wish to do this, you'll need to deploy your Fleet instances with this set explicitly to true
and one of them set to false
.
Similarly, to externally manage running vulnerability processing, set the value to true
for all Fleet instances and then run fleet vuln_processing
using external
tools like crontab.
false
FLEET_VULNERABILITIES_DISABLE_SCHEDULE
vulnerabilities:
disable_schedule: false
Fleet by default automatically downloads and keeps the different data streams needed to properly do vulnerability processing. In some setups, this behavior is not wanted, as access to outside resources might be blocked, or the data stream files might need review/audit before use.
In order to support vulnerability processing in such environments, we allow users to disable automatic sync of data streams with this configuration value.
To download the data streams, you can use fleetctl vulnerability-data-stream --dir ./somedir
. The contents downloaded can then be reviewed, and finally uploaded to the defined databases_path
in the fleet instance(s) doing the vulnerability processing.
FLEET_VULNERABILITIES_DISABLE_DATA_SYNC
vulnerabilities:
disable_data_sync: true
Maximum age of a vulnerability (a CVE) to be considered "recent". The age is calculated based on the published date of the CVE in the National Vulnerability Database (NVD). Recent vulnerabilities play a special role in Fleet's automations, as they are reported when discovered on a host if the vulnerabilities webhook or a vulnerability integration is enabled.
720h
(30 days)FLEET_VULNERABILITIES_RECENT_VULNERABILITY_MAX_AGE
vulnerabilities:
recent_vulnerability_max_age: 48h
If using osquery 5.4 or later, Fleet by default will fetch and store all applied Windows updates and use that for detecting Windows vulnerabilities — which might be a writing-intensive process (depending on the number of Windows hosts in your Fleet). Setting this to true will cause Fleet to skip both processes.
FLEET_VULNERABILITIES_DISABLE_WIN_OS_VULNERABILITIES
vulnerabilities:
disable_win_os_vulnerabilities: true
The path to a valid Maxmind GeoIP database (mmdb). Support exists for the country & city versions of the database. If city database is supplied
then Fleet will attempt to resolve the location via the city lookup, otherwise it defaults to the country lookup. The IP address used
to determine location is extracted via HTTP headers in the following order: True-Client-IP
, X-Real-IP
, and finally X-FORWARDED-FOR
headers
on the Fleet web server.
You can get a copy of the Geolite2 database for free by creating an account on the MaxMind website, navigating to the download page, and downloading the GZIP archive. Decompress it and place the mmdb file somewhere fleet can access.
It is also possible to automatically keep the database up to date, see the documentation from MaxMind.
GeoIP databases can find what general area a device is from, but not the exact location. They work by collecting which IP addresses ISPs use for different cities and countries and packaging them up into a list mapping IP address to city.
You've likely seen services use GeoIP databases if they redirect you to a site specific to your country. e.g. Google will redirect you to google.ca if you visit from Canada or Mouser will change to your local currency if you view an electronic component.
This can be useful for your fleet install if you want to tell if a device is somewhere it shouldn't be. If a desktop machine located at a site in New York suddenly appears in London, then you can tell that something is wrong. It can also help you differentiate machines if they have similar names, e.g. if you have two computers "John's MacBook Pro".
While it can be a useful tool, an unexpected result could be an error in the database, a user connecting via a mobile network which uses the same IP address for a wide area, or a user visiting family. Checking on the location of devices too often could be invasive to employees who are keeping work devices on them for e.g. oncall responsibilities.
FLEET_GEOIP_DATABASE_PATH
geoip:
database_path: /some/path/to/geolite2.mmdb
If set, then Fleet serve
will capture errors and panics and push them to Sentry.
""
FLEET_SENTRY_DSN
sentry:
dsn: "https://somedsnprovidedby.sentry.com/"
This is the username to use for HTTP Basic Auth on the /metrics
endpoint.
If basic_auth.username
is not set, then:
If basic_auth.disable
is not set then the Prometheus /metrics
endpoint is disabled.
If basic_auth.disable
is set then the Prometheus /metrics
endpoint is enabled but without HTTP Basic Auth.
Default value: ""
Environment variable: FLEET_PROMETHEUS_BASIC_AUTH_USERNAME
Config file format:
prometheus:
basic_auth:
username: "foo"
This is the password to use for HTTP Basic Auth on the /metrics
endpoint.
If basic_auth.password
is not set, then:
If basic_auth.disable
is not set then the Prometheus /metrics
endpoint is disabled.
If basic_auth.disable
is set then the Prometheus /metrics
endpoint is enabled but without HTTP Basic Auth.
Default value: ""
Environment variable: FLEET_PROMETHEUS_BASIC_AUTH_PASSWORD
Config file format:
prometheus:
basic_auth:
password: "bar"
This allows running the Prometheus endpoint /metrics
without HTTP Basic Auth.
If both basic_auth.username
and basic_auth.password
are set, then this setting is ignored.
FLEET_PROMETHEUS_BASIC_AUTH_DISABLE
prometheus:
basic_auth:
disable: true
The
server_private_key
configuration option is required for macOS MDM features.
The Apple Push Notification service (APNs), Simple Certificate Enrollment Protocol (SCEP), and Apple Business Manager (ABM) certificate and key configuration are deprecated as of Fleet 4.51. They are maintained for backwards compatibility. Please upload your APNs certificate and ABM token. Learn how here.
The number of days the signed SCEP client certificates will be valid.
FLEET_MDM_APPLE_SCEP_SIGNER_VALIDITY_DAYS
mdm:
apple_scep_signer_validity_days: 100
The number of days allowed to renew SCEP certificates.
FLEET_MDM_APPLE_SCEP_SIGNER_ALLOW_RENEWAL_DAYS
mdm:
apple_scep_signer_allow_renewal_days: 30
The duration between DEP device syncing (fetching and setting of DEP profiles). Only relevant if Apple Business Manager (ABM) is configured.
FLEET_MDM_APPLE_DEP_SYNC_PERIODICITY
mdm:
apple_dep_sync_periodicity: 10m
The content of the Windows WSTEP identity certificate. An X.509 certificate, PEM-encoded.
FLEET_MDM_WINDOWS_WSTEP_IDENTITY_CERT_BYTES
mdm:
windows_wstep_identity_cert_bytes: |
-----BEGIN CERTIFICATE-----
... PEM-encoded content ...
-----END CERTIFICATE-----
If your WSTEP certificate/key pair was compromised and you change the pair, the disk encryption keys will no longer be viewable on all macOS hosts' Host details page until you turn disk encryption off and back on.
The content of the Windows WSTEP identity key. An RSA private key, PEM-encoded.
FLEET_MDM_WINDOWS_WSTEP_IDENTITY_KEY_BYTES
mdm:
windows_wstep_identity_key_bytes: |
-----BEGIN RSA PRIVATE KEY-----
... PEM-encoded content ...
-----END RSA PRIVATE KEY-----
This content was moved to Systemd on Sept 6th, 2023.
This content was moved to Proxies on Sept 6th, 2023.
This content was moved to Single sign-on (SSO) on Sept 6th, 2023.
This content was moved to Public IPs on Sept 6th, 2023.
Back to top