I've run into an issue with not getting any Firehose logs in my results bucket. Here's what I've got and tested out .... • I've set things up with Fleet Terraform (using byo-vpc), with fleet v4.47.2. I think everything else is working (web UI, hosts checking in, queries w/ schedules loaded, ...) • I'm able to do a live query and get results back in the UI. • I'm getting status logs in S3 via firehose. • In my results Firehose stream I was able to get data in the results bucket with the "Test with demo data" • My ECS task definition has

FLEET_OSQUERY_RESULT_LOG_PLUGIN

set to "firehose" • Verified that my results Firehose stream destination is my results bucket. Anybody have thoughts on what I could be missing? Thanks!

@Eric Julien https://osquery.slack.com/archives/C01DXJL16D8/p1710506024969489?thread_ts=1710440787.986999&channel=C01DXJL16D8&message_ts=1710506024.969489

I ran some live queries and didn't see anything in firehose, and also have some scheduled queries (although those haven't returned any data). I'll try a scheduled query that I know will send back some data. Thanks!

I get nothing in firehose with live queries either. I think that is expected behavior. Scheduled queries are where the money is in terms of results that actually hit firehose.

hmmm ... I had a scheduled query run against a host (I only have 1 host in Fleet while I'm testing) and still no logs in the firehose results bucket. 🤔

You have query automations enabled?

@Oliver Reardon that was it! Just needed to check the box. I think that needs to be a column in the Queries tab, showing which ones send data. 😁 Thanks!

Glad I wasn’t the only one who had issues finding that option.