Title
#general
d

Daniel Cross

07/08/2022, 1:30 AM
When using
distributed_plugin
eg with Fleet, I have observed that the query results do not log to the
logger_plugin
location, these are only within their own comms path. Is that correct? Any way to have the queries logged locally also?
zwass

zwass

07/08/2022, 1:53 AM
No, the logger plugin only received scheduled query logs.
d

Daniel Cross

07/08/2022, 3:56 AM
👍 Thought so @zwass, thanks for confirming this.
6:10 AM
🤔 thinking about this a bit more, the scheduled queries defined in fleet would then log to the local logger? It’s actually osquery config which is updated with these via config, which will require the
tls
config plugin? Where the live queries are the distributed plugin. That’s how I think it works. The scheduling isn’t done within fleet. Which then means we’re handing over config to fleet, I wonder if there’s a way to honour filesystem config as preferred except for fleet’s scheduled queries in that case.
6:27 AM
I wonder then if it’d work to have an empty ‘Global agent options’ in fleet plus enable the tls config_plugin in osq. Maybe this would not overwrite nor apply any config, but osq agents would run the fleet scheduled queries 🤔
zwass

zwass

07/08/2022, 7:08 PM
Anything that you set in the flagfile (which lives on the filesystem) that is not overwritten by configs you set inFleet would achieve "honour filesystem config as preferred". You can't set every kind of config via flagfile, but perhaps that covers what you are looking for?
7:09 PM
the scheduled queries defined in fleet would then log to the local logger?
Yes, that's right. Which could be
filesystem
(filesystem on the local host), or
tls
(logging to Fleet, where it is typically forwarded on to some logging pipeline). It can actually be both if you want. Note that config is either/or, you can't have both
filesystem
and
tls
for config plugin.