While we're talking about it - what are people using to receive, work with, alert on, analyse etc. the osquery result logs? interested to hear what people are doing, or if there are any osquery-specific projects in that space since its not really in fleet's featureset

We ship logs to https://coralogix.com/ - it's like a souped-up, managed ELK stack. Lots of folks use ELK

yeah happy to do my own analysis in kibana etc but just wondering if there were other solutions out there

We send logs to the fleet server (running on k8s), then export these logs to AWS S3 with FluentBit, from there we ingest this data do Databricks (basically a datalake platform), and from there we make the searches and use an in-house solution for alerting and deduplication of the results

Splunk for us

ELK here

We send the data to Devo via FleetDM

thanks all, interesting spread

Thank you all for sharing 🙂 We see a ton of Splunk and ELK, along with Snowflake (+ Panther), Devo, Sumo Logic, and Graylog. GCP also seems to recommend Fleet for osquery log ingestion with their Chronicle product, though we haven't yet seen it ourselves. We've also seen some use of SOAR platforms (particularly with the webhooks features on policies and vulnerabilities) -- Folks seem very pleased with Tines.

Security Onion here, backend of Elastic Stack with custom Hunt, Dashboard & Alerting interfaces. Builtin integration & parsing for osquery logs.