Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

I’ve got the ability to (re)architect endpoint logging/metrics (don’t plan to replace logstash/es/kibana nor do I plan to have extra servers for elastic agent/osquery management - ansible is the deployment and I don’t want other mechanisms for that atm). What would be your preferred endpoint log stack? I was just thinking osquery -&gt; syslog -&gt; vecter (or fluent or just rsyslog) but figured this was the place to ask. 

I think you’ve got lots of choices, and it depends a lot on what you want.

These days i work for Kolide, so we’re all about the network ingestion.


But in a past job I deployed with osquery -&gt; local disk -&gt; filebeat.

I think it probably depends on what your log stack already looks like.