Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
p
pvirani
07/28/2021, 5:24 PMHey friends! What's the best way to forward all the scheduled query results to another endpoint? We need to collect em all in our SIEM
j
Jason
07/28/2021, 5:32 PMThere are lots of different ways. Depends on where fleet is hosted.
at the most basic, you log to disk and use whatever forwarders your SIEM supports on the fleet host(s)
or you can use AWS Kinesis or GCP PubSub
👍🏽 2
and pull it from there
p
pvirani
07/28/2021, 5:34 PMyeah definitely gonna go the Kinesis way
thinking of hosting on either EKS or ECR not sure yet. still researching
d
defensivedepth
07/28/2021, 5:42 PMWe use Filebeat --> Elasticsearch
:ty: 1
j
Jason
07/28/2021, 5:45 PMyeah if you are deploying containers, kinesis is the way to go
:ty: 1
💯 2
s
Saulo Guilhermino
07/28/2021, 6:10 PMMy approach is to store the result logs on the filesystem (using the flags
osquery: result_log_plugin: filesystemfilesystem: result_log_file: /var/log/fleet/result.log, enable_log_rotation: true👀 1
z
zwass
07/28/2021, 10:14 PMAll of the above are excellent options! Many folks on AWS have good success with Kinesis/Firehose.
🙏🏽 1
👍🏽 1
m
Mystery Incorporated
07/29/2021, 10:22 AMI use logstash -> elasticsearch
:ty: 1
coz my logstash is ingesting from a ton of sources not just OSQ, logstash is probably overkill if you just want to do osquery results
💯 1
:ty: 2