Converting osquery packs to fleetctl yaml

README.md

Converting Query Packs

The best way to convert osquery JSON packs for fleetctl yaml format is with the fleetctl convert command. To install fleetctl, run the following on macOS:

brew install kolide/tap/fleetctl

To install fleetctl locally on other platforms, see the Releases Page.

Usage

The fleetctl convert command requires the -f flag with a path to a pack and will print a converted pack to stdout:

fleetctl convert -f ~/git/osquery/packs/osx-attacks.conf >> osx-attacks.yaml

You can then apply this pack:

fleetctl apply -f ./osx-attacks.yaml

	for _, file := range files {
		content, err := os.Open(file.Name())

there's a bug here which assumes you need to open the file from the same folder. file.Name() is only the name of the file, not the path.

related to @groob's comment. I had to cd into the pack dir first

cd path/to/packs
go run /path/to/import.go -hostname ... -secret ... -packs_dir $PWD

I am running into an issue where if a query already exists, it errors out and stops the import. Is there a way to have it add the existing name to the pack and then continue on?

@benbasscom - I'm not sure if anyone is still looking at this code but I forked it and patched it so that it will catch the http.statuscode 409 and then do a lookup of the query ID by name and return that query ID to the script so that the existing query can be added to the new pack. I've never coded GO before so no warranties but you can try if it if you like.

https://github.com/offsecn00b/OSqueryPackImporter/blob/master/import.go