https://github.com/osquery/osquery logo
#fleet
Title
c

chrismsnz

04/03/2023, 9:29 PM
While we're talking about it - what are people using to receive, work with, alert on, analyse etc. the osquery result logs? interested to hear what people are doing, or if there are any osquery-specific projects in that space since its not really in fleet's featureset
j

Jason

04/03/2023, 9:40 PM
We ship logs to https://coralogix.com/ - it's like a souped-up, managed ELK stack. Lots of folks use ELK
c

chrismsnz

04/03/2023, 10:03 PM
yeah happy to do my own analysis in kibana etc but just wondering if there were other solutions out there
j

Jesus Santos

04/04/2023, 12:31 PM
We send logs to the fleet server (running on k8s), then export these logs to AWS S3 with FluentBit, from there we ingest this data do Databricks (basically a datalake platform), and from there we make the searches and use an in-house solution for alerting and deduplication of the results
k

Keith Swagler

04/04/2023, 1:19 PM
Splunk for us
j

John Speno

04/04/2023, 1:22 PM
ELK here
j

Juan Alvarez

04/04/2023, 2:25 PM
We send the data to Devo via FleetDM
c

chrismsnz

04/04/2023, 7:54 PM
thanks all, interesting spread
z

zwass

04/05/2023, 1:34 AM
Thank you all for sharing 🙂 We see a ton of Splunk and ELK, along with Snowflake (+ Panther), Devo, Sumo Logic, and Graylog. GCP also seems to recommend Fleet for osquery log ingestion with their Chronicle product, though we haven't yet seen it ourselves. We've also seen some use of SOAR platforms (particularly with the webhooks features on policies and vulnerabilities) -- Folks seem very pleased with Tines.
d

defensivedepth

04/06/2023, 5:39 PM
Security Onion here, backend of Elastic Stack with custom Hunt, Dashboard & Alerting interfaces. Builtin integration & parsing for osquery logs.