Title
#general
a

alessandrogario

10/30/2022, 11:16 AM
I don't think that one can replace the other, they seem really different tools; if however you only care about forwarding existing text-based logs, then osquery may not be a good choice in your deployment
Mystery Incorporated

Mystery Incorporated

10/31/2022, 2:19 AM
Yes but the problem is we end up with 5 different agents that we must maintain to do things. Do you not see how the omission of simple text file ingestion and then being like “just use another tool” is kinda lame? You quickly have to end up managing a fleet of 5 different tools just to do some simple things. And you can’t use fleet to manage that fleet lol.
a

alessandrogario

10/31/2022, 2:27 AM
I think there's a good explanation from seph in the link that you posted; you can also just create an extension in Python and that will integrate nicely with Fleet
2:27 AM
It does not seem like you need osquery though if you are just forwarding logs
Mystery Incorporated

Mystery Incorporated

10/31/2022, 2:28 AM
Cross platform, and the ability to filter the event log with osquery just cherry picking specific events from the event log instead of just forwarding everything on, and management with fleet. I don’t think it’s appropriate to say that ingesting a text log could be a privacy violation. Since when are company managed devices privacy oriented anyway? Even a users logon/logoff times could be deemed anti-privacy in that case. That is the most nonsense thing I have ever seen, it’s up to the company to create their privacy policy and such, and inform their users about what is monitored.
a

alessandrogario

10/31/2022, 10:26 AM
osquery is a building block, you are encouraged to add your own features to it through the extension system; we have an SDK for every major language (the golang one is especially nice)
10:27 AM
There are other additional reasons not to introduce that table, like preventing that feature from becoming a footgun that will just trigger the watchdog everytime it is queried
10:28 AM
Additionally, I think extensions are a good way to introduce functionality without adding to the maintenance burden in core
10:30 AM
I think the real problem in this deployment is that it's hard to deploy additional files (such as an extension) and should be fixed asap