The best way to convert osquery JSON packs for fleetctl
yaml format is with the fleetctl convert
command. To install fleetctl
, run the following on macOS:
brew install kolide/tap/fleetctl
To install fleetctl
locally on other platforms, see the Releases Page.
The fleetctl convert
command requires the -f
flag with a path to a pack and will print a converted pack to stdout:
fleetctl convert -f ~/git/osquery/packs/osx-attacks.conf >> osx-attacks.yaml
You can then apply this pack:
fleetctl apply -f ./osx-attacks.yaml
there's a bug here which assumes you need to open the file from the same folder.
file.Name()
is only the name of the file, not the path.