Title
#fleet
a

Artem

01/14/2021, 1:22 PM
Hello! Is it possible in the future to bring the Fleet result logs in accordance with the ECS (https://www.elastic.co/guide/en/ecs/current/ecs-reference.html) out of box? Or maybe it is possible to do it now? It may be reasonable for easier and faster integration of osquery/fleet with elastic security (siem) module.
Gavin

Gavin

01/14/2021, 1:38 PM
Please take a look at the following issue https://github.com/elastic/beats/issues/21010 The issue is with the way the beat shipper operates all fills additional meta-data from the host. It’s possible right now if you wrangle your beats shipper config.
1:39 PM
filebeat.inputs:
  - type: log
    enabled: true
    paths:
      - /var/log/osqueryd.results.log
    json.keys_under_root: true
    fields_under_root: true
    publisher_pipeline.disable_host: true

filebeat.config.modules:
  # Glob pattern for configuration loading
  path: ${path.config}/modules.d/*.yml
  # Set to true to enable config reloading
  reload.enabled: false
  # Period on which files under path should be checked for changes
  # reload.period: 10s
1:40 PM
The assumption here is you run the latest beats agent either as a sidecar or on the host you’re running kolide fleet and shipping from the file system
1:41 PM
publisher_pipeline.disable_host: true
is a beats config to not try and fill in additional ECS metadata from the beats agent vs the original log source.
1:42 PM
Note the issue was raised for discussion as the Beats team were not keen to accept any changes at this time as they’re working on Osquery support for their SIEM produce vs raising a direct PR
a

Artem

01/14/2021, 2:16 PM
Thank you! I’ll test these options!