Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
r
raj
10/18/2018, 2:44 AMAnyone using Humio or Splunk as the database collecting query results? Any pro-tips for a noob?
🤔 1
e
Evgeny Sidorov
10/18/2018, 8:18 AMHi! I'm using splunk and I collect results via HTTPS. For that I needed to develop a proxy-forwarder that takes results from osquery, modifies them and forwards to Splunk HEC
r
raj
10/18/2018, 6:35 PMThanks! That's what we'll probably have to do also.
I was hoping there'd be a pre-existing tool but we might use a log collector agent (nxlog, syslog etc) to send the data over TLS.
e
Evgeny Sidorov
10/21/2018, 4:15 PMIn general you can forward the logs via rsyslog, but the overall scheme will be like osquery -> disk -> rsyslog -> splunk
which can affect IO
in my case disk IO is expensive, so I don't store anything on disk and forward the logs to Splunk right from memory via HTTPS 😃
r
raj
10/24/2018, 6:53 PMGood point. We're already using nxlog on almost everything but a lot of that data's probably from memory rather than disk.