Hey friends What s the best way to forward all the scheduled osquery #fleet

Hey friends! What's the best way to forward all th...

pvirani

07/28/2021, 5:24 PM

Hey friends! What's the best way to forward all the scheduled query results to another endpoint? We need to collect em all in our SIEM

Jason

07/28/2021, 5:32 PM

There are lots of different ways. Depends on where fleet is hosted.

Jason

07/28/2021, 5:32 PM

at the most basic, you log to disk and use whatever forwarders your SIEM supports on the fleet host(s)

Jason

07/28/2021, 5:33 PM

or you can use AWS Kinesis or GCP PubSub

👍🏽 2

Jason

07/28/2021, 5:33 PM

and pull it from there

pvirani

07/28/2021, 5:34 PM

yeah definitely gonna go the Kinesis way

pvirani

07/28/2021, 5:35 PM

thinking of hosting on either EKS or ECR not sure yet. still researching

defensivedepth

07/28/2021, 5:42 PM

We use Filebeat --> Elasticsearch

ty 1

Jason

07/28/2021, 5:45 PM

yeah if you are deploying containers, kinesis is the way to go

ty 1

💯 2

Saulo Guilhermino

07/28/2021, 6:10 PM

My approach is to store the result logs on the filesystem (using the flags

osquery: result_log_plugin: filesystem

and

filesystem: result_log_file: /var/log/fleet/result.log, enable_log_rotation: true

) and then using a filebeat to read this file and send the logs to my logstash

👀 1

zwass

07/28/2021, 10:14 PM

All of the above are excellent options! Many folks on AWS have good success with Kinesis/Firehose.

🙏🏽 1

👍🏽 1

Mystery Incorporated

07/29/2021, 10:22 AM

I use logstash -> elasticsearch

ty 1

Mystery Incorporated

07/29/2021, 10:23 AM

coz my logstash is ingesting from a ton of sources not just OSQ, logstash is probably overkill if you just want to do osquery results

💯 1

ty 2

4 Views

Open in Slack

Previous Next