Hey there, I want to test osquery with ELK ELK stack is ready and I want to test this on windows and ubuntu hosts Does Osquery send logs to logstash itself? or I need to send osquery logs from log file with filebeats?

The second, https://github.com/dactivllc/osquery-in-a-box/ has a solid example of this.

In my scenario is kolide a mandatory? I dont need kolide fleet I just need to get log from osquery periodic queries

Osquery does not support logstash directly. You can have it write to local disk, and use filebeat as you suggested.

Thank you, I dont need TLS in my environment So I should send the content in osqueryd.results.log with filebeats to logstash, am I right?

That is the log which contains the query results only

What type of logs are stored in those files? Are they useful?

TLS isn't so much about TLS. It's the remote control protocol. Required if you want to use osquery's life query, or the native mechanism to distribute configuration. If you have other config management tools you can use them.

Hi @Erfan I want to apologies for the confusion I thought this was posted in the Kolide channel and in haste responded I am happy you got the correct resolution.

Dear @seph I just need osquery for some periodical queries on my endpoints and have the results in json format on my elk stack Do I need kolide or configuration management tool also in this case ?

How will you get the configuration of the scheduled queries to your endpoints?

Our endpoints are windows 10 mostly and I think the Microsoft SCCM can do this task

No idea.

Yes, thanks for your asnwers My issue is on the last 2 items Now I will send logs to elk with beats to parse them and then see what issues will happen