The best way to convert osquery JSON packs for fleetctl
yaml format is with the fleetctl convert
command. To install fleetctl
, run the following on macOS:
brew install kolide/tap/fleetctl
To install fleetctl
locally on other platforms, see the Releases Page.
The fleetctl convert
command requires the -f
flag with a path to a pack and will print a converted pack to stdout:
fleetctl convert -f ~/git/osquery/packs/osx-attacks.conf >> osx-attacks.yaml
You can then apply this pack:
fleetctl apply -f ./osx-attacks.yaml
@benbasscom - I'm not sure if anyone is still looking at this code but I forked it and patched it so that it will catch the http.statuscode 409 and then do a lookup of the query ID by name and return that query ID to the script so that the existing query can be added to the new pack. I've never coded GO before so no warranties but you can try if it if you like.
https://github.com/offsecn00b/OSqueryPackImporter/blob/master/import.go