From https://fleetdm.com/:

Ask questions about your servers, containers, and laptops running Linux, Windows, and macOS. Quickly deploy osquery and scale your fleet to 50,000+ devices on top of a stable core technology.


If you selected to enable Fleet during the setup, you can now login to Fleet using the email address and password that you entered during the installer. You can edit the password or add a new Fleet user within Fleet itself.


Custom osquery packages were generated for you during setup and you can find them under Downloads in Security Onion Console (SOC). Before you install a package on an endpoint, use so-allow on your manager node to configure the firewall to allow inbound osquery connections.


Fleet configuration can be found in /opt/so/conf/fleet/. However, please keep in mind that if you make any changes to this directory they may be overwritten since the configuration is managed with Salt.

Diagnostic Logging

Fleet logs can be found in /opt/so/log/fleet/.


fleetctl is a command-line utility that allows you to manage your Fleet instance and run live queries from the cli.

If using fleetctl from the Manager and Fleet is enabled on the Manager, first set the fleetctl login configuration:

./fleetctl config set --address https://localhost:8080 --url-prefix fleet --tls-skip-verify

Then login using a valid username and password:

./fleetctl login

Adding Query Packs

You can bulk add queries & packs to FleetDM using fleetctl

The following directory is mapped to the FleetDM container, so you can drop your query packs in the folder and reference it: /opt/so/conf/fleet/packs

For instance:

sudo docker exec -it so-fleet fleetctl apply -f /packs/<yourpack>.yaml

More Information

See also

For more information about osquery, please see the osquery section.

For more information about Fleet, please see https://fleetdm.com/.