When using `distributed plugin` eg with Fleet I have observe

Question

When using `distributed plugin` eg with Fleet I have observed that the query results do not log to the `logger plugin` location these are only within their own comms path Is that correct Any way to have the queries logged locally also

zwass · Answer

No the logger plugin only received scheduled query logs

Daniel Cross · Answer

thumbsup Thought so < zwass> thanks for confirming this

Daniel Cross · Answer

thinking face thinking about this a bit more the scheduled queries defined in fleet would then log to the local logger It s actually osquery config which is updated with these via config which will require the `tls` config plugin Where the live queries are the distributed plugin That s how I think it works The scheduling isn t done within fleet Which then means we re handing over config to fleet I wonder if there s a way to honour filesystem config as preferred except for fleet s scheduled queries in that case

Daniel Cross · Answer

I wonder then if it d work to have an empty Global agent options in fleet plus enable the tls config plugin in osq Maybe this would not overwrite nor apply any config but osq agents would run the fleet scheduled queries thinking face

zwass · Answer

Anything that you set in the flagfile which lives on the filesystem that is not overwritten by configs you set inFleet would achieve honour filesystem config as preferred You can t set every kind of config via flagfile but perhaps that covers what you are looking for

zwass · Answer

gt the scheduled queries defined in fleet would then log to the local logger Yes that s right Which could be `filesystem` filesystem on the local host or `tls` logging to Fleet where it is typically forwarded on to some logging pipeline It can actually be both if you want Note that config is either or you can t have both `filesystem` and `tls` for config plugin