https://github.com/osquery/osquery logo
Powered by
Title
p

pvirani

03/11/2022, 8:00 PM
Hey friends! For scheduled query results logging, is there a way to specify a destination Kinesis stream in a different AWS account than the one in which Fleet is running? (i.e. Fleet is running in accountA. My Destination Kinesis stream is in accountB)
k

Kathy Satterlee

03/11/2022, 8:21 PM
Hiya! You can send those logs to another account, just use the information for the destination you want to use for logging when configuring the plugin.
p

pvirani

03/11/2022, 8:25 PM
- name: FLEET_OSQUERY_RESULT_LOG_PLUGIN
              value: "firehose"
            - name: FLEET_FIREHOSE_REGION
              value: "us-west-2"
            - name: FLEET_FIREHOSE_RESULT_STREAM
              value: "p8t-osquery-stage-logs-es"
This is what I've configured. There doesn't seem to be a way to specify that the RESULT_STREAM is in fact another account
Fleet keeps searching for the stream inside the same account 🙂 and fails ofcourse
tried changing the following 
FLEET_FIREHOSE_RESULT_STREAM
              value: <ARN of the delivery stream in AccountB>
but that doesn't work because the entire value just gets appended like so 
arn:aws:firehose:<region>:<AccountA>:deliverystream/<ARN of the delivery stream in AccountB>
I'll just create the stream inside AccountA I guess and configure cross-account rules on my downstream destination instead ... but this cross-account Kinesis stream option would be nice to have for sure
k

Kathy Satterlee

03/11/2022, 9:38 PM
Sorry for any confusion there. I saw 
Kenesis
, so I assumed that was your log destination plugin. Let me dig in to firehose.
You can also set your 
firehose_access_key_id
and 
firehose​_secret​_access​_key
. The details for that are here: https://fleetdm.com/docs/deploying/configuration#firehose
Hope that's a little more helpful for you. And that'll teach me not to assume :)
👍🏽 1
11 Views
#fleetJoin Slack
Powered by