hello everyone.  I think this question belongs her...
# general
hello everyone.  I think this question belongs here vs #fleet, but could go either way I guess.  After watching one of the presentations at osquery@scale (Reliable osquery deployment for the paranoid), we have decided that we are going to manage our osquery config at our clients (via puppet mostly) vs setting the config centrally at Fleet (which we do currently).  Current config in our flags file (minus anything sensitive), some of which is already being overridden by Fleet:
I'd just like to confirm the recommended approach to do that would be to remove the following settings from our osquery.flags file (and remove the config we are setting at Fleet - the stuff in osquery options / fleetctl get options):
Anything else?
You may want to evaluate
. If you want to send logs/results to Fleet then leave it as is. If you want to store the logs on disk set it to
or both
Thanks @CptOfEvilMinions, we do want to send the logs to Fleet still. We may or may not decide to keep them locally as well.
Just my 2 cents. When it’s appropriate I like to store logs on the device if I can. Just incase the logging pipeline goes down and events are missed they still exist on the host for investigation
Right, that makes total sense.
I'm trying to recall why our security team wasn't jazzed on having them local as well. 🙂
Possible because it gives attackers insight into what you’re logging? Another possibility is things like command line logging can contain secrets.
You say that but the config and queries are on disk so it's not always the most difficult to reverse