I am trying to send osquey results and status logs to Splunk

Question

I am trying to send osquey results and status logs to Splunk using Kinesis data firehose fleet serve mysql address=127 0 0 1 3306 mysql database=kolide mysql username=kolideadmin mysql password= lt pass gt server cert= etc ssl certs kolide cert server key= etc ssl private kolide key logging json auth jwt key=WS+Q2v6TyJdZgJDCHFWgak5HtxzPFhH8 firehose region=eu west 1 firehose result stream=osquery result firehose status stream=osquery status firehose sts assume role arn=arn aws iam 971754341671 role service role KinesisFirehoseServiceRole kolide splunk eu west 1 7604408347595 I could see the logs results are still getting into tmp osquery result and tmp osquery status Am I missing something Any pointers please

zwass · Answer

Looks like you are missing `osquery result log plugin` and `osquery status log plugin` as documented in <https github com fleetdm fleet blob master docs infrastructure working with osquery logs md osquery logging plugins>