Hi all, I'm revisiting our firehose config, as it looks like originally we had logs going from each Fleet client into Splunk. We're trying to reconfigure so that logs go to Fleet, which then go to Splunk, but it looks like nothing is coming through. I'm not seeing any errors in the Fleet logs - this worked once upon a time, but it has been reconfigured enough where I think something got tweaked that caused it to stop working. (To clarify we're going for query results, from what I recall audit log data is not available in the free version) Here's my config: Agent options: config: options: pack_delimiter: / distributed_plugin: tls disable_distributed: false logger_tls_endpoint: /api/v1/osquery/log distributed_interval: 30 distributed_tls_max_attempts: 3 decorators: load: - SELECT uuid AS host_uuid FROM system_info; - SELECT hostname AS hostname FROM system_info; command_line_flags: verbose: true config_plugin: tls disable_audit: false logger_plugin: tls config_refresh: 300 disable_events: false enable_file_events: true watchdog_memory_limit: 1024 audit_allow_process_events: true enable_ntfs_event_publisher: true enable_windows_events_publisher: true enable_windows_events_subscriber: true ---------- fleet.yaml ..snip.. logging: json: 'true' debug: 'false' live_query_rest_period: 90s activity: enable_audit_log: 'true' audit_log_plugin: 'firehose' osquery: osquery_status_log_plugin: firehose osquery_result_log_plugin: firehose firehose: region: <REDACT> access_key_id: <REDACT> secret_access_key: <REDACT> status_stream: osquery_status result_stream: osquery_result audit_stream: fleet_audit

Hi Mike, thank you for your question. When you say "nothing is coming through," do you mean that you cannot view your query results in the Fleet UI?

Hi Rebecca - sorry I should have clarified - I can see results in the Fleet UI, but nothing is making it through to Splunk.

The first thing I recommend checking is whether your automations are turned on for the queries you wish to collect data from. If you go to your Queries tab on Fleet Desktop and look at your list of queries that are running, check the Automations column in the table, and ensure that the green dot is present for the queries you wish to collect results from. If none of them are on, you will need to click Manage Automations and check a box for the queries you wish to have turned on.

It looks we do have a series of queries that are collecting results in the Manage Automation section.

If the desired queries are enabled for automation, I would recommend checking the server logs (/api/v1/osquery/log) for anything missing, such as a missing permission.