Hi all - I'm revisiting an old issue with configur...
# fleetm
Mike S.
03/10/2025, 8:46 PMHi all - I'm revisiting an old issue with configuring firehose to send logs from FleetDM to Splunk. I have the firehose configured in my fleet.yml file, but nothing is sending to the firehose. I don't see any errors related to this in my /var/log/syslog file (I see other errors related to Fleet so I'm pretty sure that's where the errors would output). I do have some automations configured, so in theory we should be seeing some data hitting that firehose and moving on to Splunk. Not sure where to proceed from here...
fleet.yml (snippet):
osquery:
osquery_status_log_plugin: firehose
osquery_result_log_plugin: firehose
firehose:
region: REDACT
access_key_id: REDACT
secret_access_key: REDACT
status_stream: osquery_status
result_stream: osquery_result
audit_stream: fleet_audit
Agent options (from Fleet GUI)
config:
options:
pack_delimiter: /
distributed_plugin: tls
disable_distributed: false
logger_tls_endpoint: /api/v1/osquery/log
distributed_interval: 30
distributed_tls_max_attempts: 3
decorators:
load:
- SELECT uuid AS host_uuid FROM system_info;
- SELECT hostname AS hostname FROM system_info;
command_line_flags:
verbose: true
config_plugin: tls
disable_audit: false
logger_plugin: tls
config_refresh: 300
disable_events: false
enable_file_events: true
watchdog_memory_limit: 1024
audit_allow_process_events: true
enable_ntfs_event_publisher: true
enable_windows_events_publisher: true
enable_windows_events_subscriber: true
r
Rebecca Cowart
03/11/2025, 3:53 PM@Mike S. Can you run
SELECT * FROM osquery_flags;m
Mike S.
03/11/2025, 7:31 PMDM'ing!
r
Rebecca Cowart
03/17/2025, 6:23 PM@Mike S. We see some queries coming from packs. How are you managing those?
Do you have automations scheduled for each of your scheduled queries? If not, then the logs will not be forwarded.
Rebecca Cowart
03/17/2025, 6:24 PM@Mike S. Also, what version of Fleet are you running?
m
Mike S.
03/17/2025, 6:29 PM@Rebecca Cowart We do have automations scheduled for many of these queries. For the queries coming from packs, we just manage those through the Fleet UI. Fleet version is 4.64
One thing I just noticed is that the destination is set to the filesystem, which might be the issue.
r
Rebecca Cowart
03/17/2025, 6:30 PM@Mike S. Perfect. Update that destination, and let's see if that solves your issue!
m
Mike S.
03/17/2025, 6:31 PMWould I set that in the agent options, or in Fleet.yml?
r
Rebecca Cowart
03/17/2025, 6:35 PM@Mike S. I would check the Fleet UI first and ensure your destination is set to your firehose. Is that where you just saw it incorrectly set to filesystem?
m
Mike S.
03/17/2025, 6:36 PMI noticed it when I double-checked to see if automations were enabled:
r
Rebecca Cowart
03/17/2025, 7:06 PM@Mike S. How are you passing your config file to Fleet? It looks as though your config file is not being applied. Have you restarted Fleet since configuring your Firehose?
Rebecca Cowart
03/17/2025, 7:09 PM@Mike S. Let me know if you see any errors in your server logs as well.
m
Mike S.
03/17/2025, 7:09 PMWe were doing it through agent options, but I believe that was sending everything, not just the automatied queries, and we didn't want that. So we have that configured in fleet.yml.
r
Rebecca Cowart
03/17/2025, 7:12 PM@Mike S. How do you have Fleet deployed? We are trying to determine how you are passing that yaml file to Fleet.
Rebecca Cowart
03/17/2025, 7:13 PM@Mike S. Have you restarted your server since configuring Firehose? This configuration is only applied when it is started up.
m
Mike S.
03/17/2025, 7:14 PMSorry, i saw you asked that earlier but missed it. Let me give it a reboot since I can't be sure that has happened.
Mike S.
03/17/2025, 7:16 PMFor the Fleet deployment question - I'm not sure what you mean. Are you referring to how we setup the EC2?
Mike S.
03/17/2025, 7:17 PMWe saw some enrollment errors in the server logs, but nothing else.
Mike S.
03/17/2025, 7:19 PMPost-reboot, it looks like the logging destination is still the filesystem.
r
Rebecca Cowart
03/17/2025, 8:39 PM@Mike S. Are you using our Terraform? It sounds as if you're using AWS. Typically, in cloud-based deployment, you would be setting environment variables, rather than using a config file.
m
Mike S.
03/17/2025, 8:45 PMNah, we built this manually before we had Terraform setup. We are using AWS.
r
Rebecca Cowart
03/17/2025, 8:47 PM@Mike S. In this case, we would expect this all to be set using environment variables. Is that config file something you created just for this, or did it already exist?
m
Mike S.
03/17/2025, 8:50 PMIt was created as part of the Fleet server configuration - I pulled the info from here: https://fleetdm.com/docs/configuration/fleet-server-configuration
r
Rebecca Cowart
03/17/2025, 8:55 PM@Mike S. I would recommend configuring these as environment variables.
b
Benjamin Edwards
03/17/2025, 8:59 PMas long as you are launching the fleet server with
serve --config config.ymlm
Mike S.
03/17/2025, 9:01 PMYep, that's how it's being served - /usr/bin/fleetdm/fleet serve --config /usr/bin/fleetdm/fleet.yml
b
Benjamin Edwards
03/17/2025, 9:08 PMthe server config should look something like:
Copy code
server:
tls: false
logging:
debug: true
osquery:
result_log_plugin: firehose
firehose:
region: ca-central-1
result_stream: osquery_resultm
Mike S.
03/17/2025, 9:12 PMI do see a difference in mine:
osquery:
osquery_status_log_plugin: firehose
osquery_result_log_plugin: firehose
Should that just be result_log_plugin and status_log_plugin?
b
Benjamin Edwards
03/17/2025, 9:13 PMyeah those aren't valid keys.
Benjamin Edwards
03/17/2025, 9:13 PMr
Rebecca Cowart
03/18/2025, 12:56 PM@Mike S. Ah! And I checked over your config values so thoroughly, too! My eyes deceived me!
m
Mike S.
03/18/2025, 3:24 PMNo worries! That’s been sitting there for who knows how long and I missed it too!
5 Views