Hi guys, Who is using the Firehose plugin at Fleet? How can I debug the connection to AWS? For incorrect access/secret keys and so on and so forth. Enabling the logging.debug: true in Fleet didn't have any results...

Do you have failed events going to S3? That’s where the money is for data stream errors

Hi folks! Firehose as logging destination for osquery status logs and osquery result logs is a Fleet free feature. Firehose as logging destination for audit logs is a Fleet Premium feature. What logs are you trying to send to firehose? Also, what version of Fleet are you using? I faked an error on a logging destionation on a local instance of Fleet and I can see a

level=error

being generated

level=error ts=2024-04-16T14:14:09.100033Z component=http method=POST uri=/api/osquery/log took=8.726226ms ip_addr=172.16.132.186 x_for_ip_addr= results=1 err="error writing result logs (if the logging destination is down, you can reduce frequency/size of osquery logs by increasing logger_tls_period and decreasing logger_tls_max_lines): some error" uuid=66db949d-d6ab-4606-ac41-d3db946cbc4f

Hi, I'm using Firehose for result logs at Fleet 4.48.2 Ok, I got it. I mean regarding errors. Will try to catch it.

Another approach is by looking at agent (osquery) logs, e.g. on my case:

465173 I0416 11:14:14.299288 177504256 buffered.cpp:72] Error sending results to logger: Request failed: error writing result logs (if the logging destination is down, you can reduce frequency/size of osquery logs by increasing logger_tls_period and decreasing logger_tls_max_lines): some error