do you have experience of running osquery on enterprise without a fleet manager? using only chef/puppet/jamf? how do you manage the packs/fim/conf? how do you stream the query results in the logs pipeline?

yes, use chef to manage your config+packs. Then for ingesting logs, how do you do this today? If you have an existing pipeline try to fit osquery into it. The default behavior is to write logs to a file, do you have something that similarly collects logs? If you search/google osquery+$yourexistingtools you might find guides

at moment I am using a fleet manager and osquery forward the logs via TLS to it and beats from fleet manager to the pipeline.

ah, so you are looking for alternatives?

maybe via osquery kafka, but it seems to be not so stable

Hey @vaar, sorry for the late reply here but I wrote a blog post a couple months back on sending osquery logs with Rsyslog. This blog post shows how to setup the Rsyslog client to send Osquery logs and the Rsyslog server. https://holdmybeersecurity.com/2019/03/29/logging-osquery-with-rsyslog-v8-love-at-first-sight/ Additionally, I have several other blogs on how to ship osquery logs using Rsyslog to Kafka.

yes, I read it. It is nice, but we don't want to run rsyslog on all endpoints too, in particular if they are workstations 😞