https://github.com/osquery/osquery logo
Powered by
Title
v

Vlad Previn

08/04/2022, 7:18 AM
qq does fleet server do any logging other than whatever we configure on the LB in front or the osquery_results/status logs we’re after more ‘admin action’ type logs I suppose for the fleet ui and ai use . Ideally we want to 1. cleanly separate the osq results and status logs -> pubsub topic in GCP 2. forward any app logs via stdout but make sure they don’t include duplicate osq results/status logs could you please help explain how to achieve that 🙂
typo: api not ai 😄
we do see in the settings yaml fleet->logging->`json: false` and i guess separately plugins: 
Osquery->logging
statusPlugin: pubsub
resultPlugin: pubsub
however if I’m not mistaken we still seem to get pod stdout containing osquery result and status logs 😞 mixed with system logs for fleet is there a way to exclude osquery status and result logs from stdout ?
k

Kathy Satterlee

08/04/2022, 4:44 PM
Hi, @Vlad Previn! While the pod logs might be a little jumbled, the 
stdout
logs for Fleet itself should only include the server logs. It's not uncommon to pipe those logs to a file and then set up a file watcher to send the logs wherever they need to go.
b

Benjamin Edwards

08/04/2022, 5:20 PM
How to configure HTTP server logs: https://fleetdm.com/docs/deploying/configuration#logging-fleet-server-logging And how to configure osquery status/results logs: https://fleetdm.com/docs/deploying/configuration#pub-sub For example in AWS we configure Firehose as the logging destination: https://github.com/fleetdm/fleet/blob/1f479f5cddb7feaea8e4c43a2050f5134fd91ae1/infrastructure/dogfood/terraform/aws/ecs.tf#L208 https://github.com/fleetdm/fleet/blob/1f479f5cddb7feaea8e4c43a2050f5134fd91ae1/infrastructure/dogfood/terraform/aws/ecs.tf#L220 but the Fleet container logs are just stdout and consumed by Cloudwatch Logs
v

Vlad Previn

08/05/2022, 2:20 AM
hmm @Kathy Satterlee that’s odd. we definitely see these in pod stdout which to me look like osq result logs 
{
  "snapshot": [
    {
      "name": "Google Chrome Helper (GPU)",
      "pid": "5435",
      "used": "1337.9200000000001"
    },
    {
      "name": "Google Chrome Helper (Renderer)",
      "pid": "93236",
      "used": "996.90999999999997"
    },
    {
      "name": "WindowServer",
      "pid": "578",
      "used": "956.13"
    },
    {
      "name": "Slack Helper (GPU)",
      "pid": "5384",
      "used": "414.06"
    },
    {
      "name": "Google Chrome",
      "pid": "5335",
      "used": "321.97000000000003"
    }
  ],
  "action": "snapshot",
  "name": "pack/Global/Most memory intensive processes",
  "hostIdentifier": "xxxxxxxxxxxxxxxxxxxxxxxxxx",
  "calendarTime": "Wed Aug  3 16:42:33 2022 UTC",
  "unixTime": 1659544953,
  "epoch": 0,
  "counter": 0,
  "numerics": false,
  "decorations": {
    "host_uuid": "xxxxxxxxxxxxxxxxxxB",
    "hostname": "xxxxxxxxxxxxxxxxx"
  }
}
2 Views
#fleetJoin Slack
Powered by