Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

I am sending osquery results directly to firehose and they get dumped into S3. The endpoint sends a file containing a batch of log results and status. I want to have each single event saved to S3 separate as a single object.
1. Is it possible by changing any agent configuration in Fleet UI Agent options? If yes, which config do I need to set?
2. Is this something that will skyrocket the cost of S3?

Greetings <@U06TT976M62>,
For #1 there is this <https://osquery.slack.com/archives/C01DXJL16D8/p1707153410095069|previous thread> that goes through some options to configure the logs.

For #2, it's hard to say since going for smaller _chunks_ but a similar size of data being stored. There might be more requests/work you need to do with your flow to read the data out but I think an additional 1 million requests in s3 is like $0.50usd.

Thanks, Grant. Really appreciate your help

Hey <@U05Q4A3R6R1>, thanks for your help again. I was able to make the snapshot results to output as single events on their separate lines. However, looking at Differential results now, the output seems to be incorrect, and bulking the results as a list of objects within the `removed`  and `added` keys. It looks like once I applied the flag `--logger_snapshot_event_type=true` it made the differential results to output in bulk as opposed to how it was before