Hi all, I’m running fleet in ECS and using environment variables to send logs via firehose. I’ve verified that the container is able to put records to the firehose delivery streams and i’ve got the following vars set:

FLEET_OSQUERY_RESULT_LOG_PLUGIN=firehose
FLEET_OSQUERY_STATUS_LOG_PLUGIN=firehose
FLEET_FIREHOSE_RESULT_STREAM=osquery_results
FLEET_FIREHOSE_REGION=eu-central-1
FLEET_FIREHOSE_STATUS_STREAM=osquery_status

but I’m not seeing any status or result log messages in firehose. Am I missing something?

Hi @George! Are you enrolling your hosts using Fleet packages, or plain osquery?

I’m using plain osquery

Do you have osquery configured to send the logs to Fleet?

This is my flags file: (i have

--tls-hostname

set i’ve just omitted it from the screenshot)

Great. You didn’t include the credentials in your environment variables. Are you setting either an access key and ID or STS role ARN?

Ahh I think that’s it. Thanks @Kathy Satterlee 🙂

If your using ECS the AWS sdk fleet imports should just pick up the task role via EC2 metadata/ecs magic. Unless you have some custom roles you need fleet app to assume those shouldn’t be required.

Up and running, @George?

Hi @Kathy Satterlee unfortunately not. I’m thinking it might be something with my osquery client configuration, but I need to find the time to test it!