qq does fleet server do any logging other than wha...
# fleet
qq does fleet server do any logging other than whatever we configure on the LB in front or the osquery_results/status logs we’re after more ‘admin action’ type logs I suppose for the fleet ui and ai use . Ideally we want to 1. cleanly separate the osq results and status logs -> pubsub topic in GCP 2. forward any app logs via stdout but make sure they don’t include duplicate osq results/status logs could you please help explain how to achieve that 🙂
typo: api not ai 😄
we do see in the settings yaml fleet->logging->`json: false` and i guess separately plugins:
Copy code
statusPlugin: pubsub
resultPlugin: pubsub
however if I’m not mistaken we still seem to get pod stdout containing osquery result and status logs 😞 mixed with system logs for fleet is there a way to exclude osquery status and result logs from stdout ?
Hi, @Vlad Previn! While the pod logs might be a little jumbled, the
logs for Fleet itself should only include the server logs. It's not uncommon to pipe those logs to a file and then set up a file watcher to send the logs wherever they need to go.
hmm @Kathy Satterlee that’s odd. we definitely see these in pod stdout which to me look like osq result logs
Copy code
  "snapshot": [
      "name": "Google Chrome Helper (GPU)",
      "pid": "5435",
      "used": "1337.9200000000001"
      "name": "Google Chrome Helper (Renderer)",
      "pid": "93236",
      "used": "996.90999999999997"
      "name": "WindowServer",
      "pid": "578",
      "used": "956.13"
      "name": "Slack Helper (GPU)",
      "pid": "5384",
      "used": "414.06"
      "name": "Google Chrome",
      "pid": "5335",
      "used": "321.97000000000003"
  "action": "snapshot",
  "name": "pack/Global/Most memory intensive processes",
  "hostIdentifier": "xxxxxxxxxxxxxxxxxxxxxxxxxx",
  "calendarTime": "Wed Aug  3 16:42:33 2022 UTC",
  "unixTime": 1659544953,
  "epoch": 0,
  "counter": 0,
  "numerics": false,
  "decorations": {
    "host_uuid": "xxxxxxxxxxxxxxxxxxB",
    "hostname": "xxxxxxxxxxxxxxxxx"