not sure if this is a core question or a fleet question, but here goes: I noticed in the fleet source recently that the

OsqueryLogger

struct has separate

Status

and

Result

loggers. that’s great! However, in the osquery source code I don’t a distinction made between the 2 types of logs. My question is this: is it possible to configure osquery to send status logs to a different output than the result logs?

It is not possible to configure osquery to send status and result logs to different logger plugins, however it is common for the logger plugin (or consumer of the logs) to split them into separate streams. For example, the filesystem logger logs results and statuses to different files. Fleet receives all the logs over the tls logger plugin, but splits the results and statuses into separate streams for output.

that’s kindof what I thought 😞

What are you trying to achieve?

ideally i’d like to send status logs to something like aws cloudwatch but results logs to aws kineses

Yeah that makes sense. Are you using Fleet? Or is that just something you were looking at to understand this?

yeah we’re using fleet. but mainly this is for scheduled queries and not the distirbuted ones

If you use the tls logger plugin in osquery and the logs make it to Fleet they will be separated into status and result logs. Fleet allows you to configure which files these write to. Fleet can also log status and results to separate Firehose streams. No Kinesis support as of now.

yeah I was looking at that and it might be our best option for now

You could also write a custom logger plugin for osquery and do whatever you want with the logs on the hosts. This does not prevent you from using Fleet for live queries and config management.

indeed. I think a combination of the 2 is what I’ll end up doing long term. we have things running well right now with fleet and osquery, but we’re just looking to make some tweaks to our setup

Sounds good. Good luck!