Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

I am trying to send osquey results and status logs to *Splunk* using Kinesis data firehose .

fleet serve --mysql_address=127.0.0.1:3306 --mysql_database=kolide --mysql_username=kolideadmin --mysql_password=&lt;pass&gt; --server_cert=/etc/ssl/certs/kolide.cert --server_key=/etc/ssl/private/kolide.key --logging_json --auth_jwt_key=WS+Q2v6TyJdZgJDCHFWgak5HtxzPFhH8 --firehose_region=eu-west-1 --firehose_result_stream=osquery_result --firehose_status_stream=osquery_status --firehose_sts_assume_role_arn=arn:aws:iam::971754341671:role/service-role/KinesisFirehoseServiceRole-kolide-splunk-eu-west-1-7604408347595


I could see the logs/results are still getting into /tmp/osquery_result and /tmp/osquery_status

Am I missing something ? Any pointers please ??

Looks like you are missing `osquery_result_log_plugin` and `osquery_status_log_plugin` as documented in <https://github.com/fleetdm/fleet/blob/master/docs/infrastructure/working-with-osquery-logs.md#osquery-logging-plugins>.