https://github.com/osquery/osquery logo
Powered by
#fleet
Title
# fleet
p

pvirani

07/28/2021, 5:24 PM
Hey friends! What's the best way to forward all the scheduled query results to another endpoint? We need to collect em all in our SIEM
j

Jason

07/28/2021, 5:32 PM
There are lots of different ways. Depends on where fleet is hosted.
at the most basic, you log to disk and use whatever forwarders your SIEM supports on the fleet host(s)
or you can use AWS Kinesis or GCP PubSub
👍🏽 2
and pull it from there
p

pvirani

07/28/2021, 5:34 PM
yeah definitely gonna go the Kinesis way
thinking of hosting on either EKS or ECR not sure yet. still researching
d

defensivedepth

07/28/2021, 5:42 PM
We use Filebeat --> Elasticsearch
ty 1
j

Jason

07/28/2021, 5:45 PM
yeah if you are deploying containers, kinesis is the way to go
ty 1
💯 2
s

Saulo Guilhermino

07/28/2021, 6:10 PM
My approach is to store the result logs on the filesystem (using the flags 
osquery: result_log_plugin: filesystem
and 
filesystem: result_log_file: /var/log/fleet/result.log, enable_log_rotation: true
) and then using a filebeat to read this file and send the logs to my logstash
👀 1
z

zwass

07/28/2021, 10:14 PM
All of the above are excellent options! Many folks on AWS have good success with Kinesis/Firehose.
🙏🏽 1
👍🏽 1
m

Mystery Incorporated

07/29/2021, 10:22 AM
I use logstash -> elasticsearch
ty 1
coz my logstash is ingesting from a ton of sources not just OSQ, logstash is probably overkill if you just want to do osquery results
💯 1
ty 2
4 Views
Powered by