Hello everyone, I got another question regarding to the instant queries of Fleet. For the defined policies fleet desktop provides the possibility to the users to see all requested policies. For the instant queries this is not possible with fleet desktop, is there any way to make requested instant queries transparent for all hosts for example with logs?
11/21/2022, 4:10 PM
You could use the filesystem logging plugin for osquery logs.
If you also need to forward them to a centralized location, you can set up a file watcher locally.
We did a workshop at DEF CON where we did something similar this with Filebeat and Greylog:
There, we were still sending the logs to Fleet using the TLS logger plugin in osquery, so the watcher is set up on the server. You'd want to use the filesystem plugin for osquery logs and set up the watcher on each host.