Hi all I have Fleet configured to send query data to Splunk osquery #fleet

Hi all - I have Fleet configured to send query dat...

Mike S.

01/17/2024, 9:40 PM

Hi all - I have Fleet configured to send query data to Splunk via AWS firehose. I had thought previously that only data from scheduled queries would go into the firehose, but it seems that all of my configured queries are going into it. Is there a way to only send my scheduled queries to the firehose?

Benjamin Edwards

01/17/2024, 10:35 PM

Are you using the logging destination Firehose? https://fleetdm.com/docs/using-fleet/log-destinations#amazon-kinesis-data-firehose If so only scheduled query logs will be sent.

Mike S.

01/17/2024, 10:38 PM

Hi @Benjamin Edwards - That's what I was thinking as well. In my agent options I have logger_plugin: aws_firehose - in your link I see that it's just firehose - is there a difference between the two?

Benjamin Edwards

01/17/2024, 10:40 PM

Oh you are talking about osquery logging. In that case all results will be logged. If you want to manage logs only through Fleet you can set the logger plugin to TLS (fleet server) and then the fleet server will forward to firehose.

Mike S.

01/17/2024, 10:40 PM

Ahh ok. I see now, thank you!

Benjamin Edwards

01/17/2024, 10:42 PM

Are you using fleetd or vanilla osquery? fleetd agent comes configured with TLS logging, but you can override the agent options via fleet

Mike S.

01/17/2024, 10:52 PM

Fleetd

Benjamin Edwards

01/17/2024, 10:55 PM

Nice. Yeah so unless you need to configure osquery logging to firehose, I’d leave it as TLS and then configure the fleet server to handle forwarding osquery results.

Benjamin Edwards

01/17/2024, 10:57 PM

Also great thing about that is not having to supply AWS access secrets to osquery hosts. Fleet server can utilize instance IAM roles for firehose permissions.

Mike S.

01/17/2024, 11:05 PM

Great point! I honestly had thought we had it configured to work through Fleet, but it sounds like we need to reconfigure a bit. Here's what I have as Agent Options in Fleet - what do I need to change? config: options: aws_region: <REDACT> pack_delimiter: / aws_access_key_id: <REDACT> logger_tls_period: 10 distributed_plugin: tls aws_firehose_stream: <REDACT> disable_distributed: false logger_tls_endpoint: /api/osquery/log distributed_interval: 30 aws_secret_access_key: <REDACT> distributed_tls_max_attempts: 3 decorators: load: - SELECT uuid AS host_uuid FROM system_info; - SELECT hostname AS hostname FROM system_info; command_line_flags: config_plugin: tls disable_audit: false logger_plugin: aws_firehose config_refresh: 300 disable_events: false

Grant Bilstad

01/17/2024, 11:24 PM

I believe it should look like this- remove all the

aws_

things for your agent options-

Copy code

config:
  options:
    pack_delimiter: /
    distributed_plugin: tls
    disable_distributed: false
    logger_tls_endpoint: /api/v1/osquery/log
    distributed_interval: 30
    distributed_tls_max_attempts: 3

Then make sure on Fleet Server configs have your Firehose info configured and let Fleet do period based on automation settings. Might want to adjust your

command_line_flags

also.

Open in Slack

Previous Next