The best way to convert osquery JSON packs for fleetctl
yaml format is with the fleetctl convert
command. To install fleetctl
, run the following on macOS:
brew install kolide/tap/fleetctl
To install fleetctl
locally on other platforms, see the Releases Page.
The fleetctl convert
command requires the -f
flag with a path to a pack and will print a converted pack to stdout:
fleetctl convert -f ~/git/osquery/packs/osx-attacks.conf >> osx-attacks.yaml
You can then apply this pack:
fleetctl apply -f ./osx-attacks.yaml
related to @groob's comment. I had to cd into the pack dir first