hilt
01/19/2021, 1:08 PMzwass
hilt
01/21/2021, 1:05 AMGavin
01/21/2021, 1:08 AM---
apiVersion: apps/v1
kind: Deployment
metadata:
name: fleet-webserver
labels:
app: fleet-webserver
spec:
replicas: 3
selector:
matchLabels:
app: fleet-webserver
template:
metadata:
labels:
app: fleet-webserver
spec:
volumes:
- name: fleet-tls
secret:
secretName: fleet-tls
- name: log-storage
emptyDir: {}
- name: config
configMap:
name: fleet-filebeat-config
containers:
- name: fleet-webserver
image: fleetdm/fleet:3.6.0
command: [fleet, serve]
ports:
- containerPort: 8080
volumeMounts:
- name: fleet-tls
mountPath: /secrets/fleet-tls
readOnly: true
- name: log-storage
mountPath: /var/log/
env:
- name: KOLIDE_MYSQL_ADDRESS
valueFrom:
secretKeyRef:
name: fleet-mysql
key: address
- name: KOLIDE_MYSQL_DATABASE
valueFrom:
secretKeyRef:
name: fleet-mysql
key: database
- name: KOLIDE_MYSQL_USERNAME
valueFrom:
secretKeyRef:
name: fleet-mysql
key: username
- name: KOLIDE_MYSQL_PASSWORD
valueFrom:
secretKeyRef:
name: fleet-mysql
key: password
- name: KOLIDE_REDIS_ADDRESS
value: 10.0.0.1:6379
- name: KOLIDE_AUTH_JWT_KEY
valueFrom:
secretKeyRef:
name: fleet-server-auth-key
key: fleet-server-auth-key
- name: KOLIDE_SERVER_ADDRESS
value: 0.0.0.0:8080
- name: KOLIDE_SERVER_CERT
value: /secrets/fleet-tls/tls.crt
- name: KOLIDE_SERVER_KEY
value: /secrets/fleet-tls/tls.key
- name: KOLIDE_LOGGING_JSON
value: 'true'
- name: KOLIDE_OSQUERY_STATUS_LOG_PLUGIN
value: filesystem
- name: KOLIDE_FILESYSTEM_STATUS_LOG_FILE
value: /var/log/osqueryd.status.log
- name: KOLIDE_FILESYSTEM_RESULT_LOG_FILE
value: /var/log/osqueryd.results.log
readinessProbe:
httpGet:
scheme: HTTPS
path: /healthz
port: 8080
initialDelaySeconds: 5
periodSeconds: 10
- name: filebeat
volumeMounts:
- name: config
mountPath: /usr/share/filebeat/filebeat.yml
subPath: filebeat.yml
- name: log-storage
mountPath: /var/log/
image: elastic/filebeat:7.9.0
securityContext:
runAsUser: 0
resources:
limits:
memory: 200Mi
requests:
cpu: 100m
memory: 100Mi
---
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/osqueryd.results.log
json.keys_under_root: true
fields_under_root: true
publisher_pipeline.disable_host: true
filebeat.config.modules:
# Glob pattern for configuration loading
path: ${path.config}/modules.d/*.yml
# Set to true to enable config reloading
reload.enabled: false
# Period on which files under path should be checked for changes
# reload.period: 10s
output.logstash:
enabled: true
hosts:
- logstash-ilb.elastic-system.svc:10105
ssl.enabled: false
hilt
01/21/2021, 1:13 AMGavin
01/21/2021, 1:16 AMhilt
01/21/2021, 6:21 AM[
{
"json": {
"field": "message",
"target_field": "osquery",
"ignore_failure": true
}
}
]