hello everyone I think this question belongs here vs

Question

hello everyone I think this question belongs here vs < C01DXJL16D8|fleet> but could go either way I guess After watching one of the presentations at osquery scale Reliable osquery deployment for the paranoid we have decided that we are going to manage our osquery config at our clients via puppet mostly vs setting the config centrally at Fleet which we do currently Current config in our flags file minus anything sensitive some of which is already being overridden by Fleet ` enroll secret path=` ` tls hostname=` ` host identifier=` ` enroll tls endpoint= api v1 osquery enroll` ` config plugin=tls` ` config tls endpoint= api v1 osquery config` ` config refresh=3600` ` disable distributed=false` ` distributed plugin=tls` ` distributed interval=60` ` distributed tls max attempts=3` ` distributed tls read endpoint= api v1 osquery distributed read` ` distributed tls write endpoint= api v1 osquery distributed write` ` logger plugin=tls` ` logger tls endpoint= api v1 osquery log` ` logger tls period=10` I d just like to confirm the recommended approach to do that would be to remove the following settings from our osquery flags file and remove the config we are setting at Fleet the stuff in osquery options fleetctl get options ` config refresh` ` config plugin` ` config tls endpoint` Anything else

CptOfEvilMinions · Answer

You may want to evaluate ` logger plugin` If you want to send logs results to Fleet then leave it as is If you want to store the logs on disk set it to `filesystem` or both `tls filesystem`

Dan Achin · Answer

Thanks < CptOfEvilMinions> we do want to send the logs to Fleet still We may or may not decide to keep them locally as well

CptOfEvilMinions · Answer

Just my 2 cents When it s appropriate I like to store logs on the device if I can Just incase the logging pipeline goes down and events are missed they still exist on the host for investigation

Dan Achin · Answer

Right that makes total sense

Dan Achin · Answer

I m trying to recall why our security team wasn t jazzed on having them local as well slightly smiling face

CptOfEvilMinions · Answer

Possible because it gives attackers insight into what you re logging Another possibility is things like command line logging can contain secrets

Dan Achin · Answer

possibly

Gavin · Answer

You say that but the config and queries are on disk so it s not always the most difficult to reverse