Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
a
Adrian Junge
11/21/2022, 3:53 PMHello everyone, I got another question regarding to the instant queries of Fleet. For the defined policies fleet desktop provides the possibility to the users to see all requested policies. For the instant queries this is not possible with fleet desktop, is there any way to make requested instant queries transparent for all hosts for example with logs?
k
Kathy Satterlee
11/21/2022, 4:10 PMYou could use the filesystem logging plugin for osquery logs.
If you also need to forward them to a centralized location, you can set up a file watcher locally.
We did a workshop at DEF CON where we did something similar this with Filebeat and Greylog:
https://github.com/ksatter/fleet-docker/tree/defcon30
There, we were still sending the logs to Fleet using the TLS logger plugin in osquery, so the watcher is set up on the server. You'd want to use the filesystem plugin for osquery logs and set up the watcher on each host.
a
Adrian Junge
11/21/2022, 4:20 PMThank you very much!
k
Kathy Satterlee
11/21/2022, 4:21 PMAny time!