I am trying to send osquey results and status logs to Splunk using Kinesis data firehose . fleet serve --mysql_address=127.0.0.1:3306 --mysql_database=kolide --mysql_username=kolideadmin --mysql_password=<pass> --server_cert=/etc/ssl/certs/kolide.cert --server_key=/etc/ssl/private/kolide.key --logging_json --auth_jwt_key=WS+Q2v6TyJdZgJDCHFWgak5HtxzPFhH8 --firehose_region=eu-west-1 --firehose_result_stream=osquery_result --firehose_status_stream=osquery_status --firehose_sts_assume_role_arn=arnawsiam:971754341671role/service-role/KinesisFirehoseServiceRole-kolide-splunk-eu-west-1-7604408347595 I could see the logs/results are still getting into /tmp/osquery_result and /tmp/osquery_status Am I missing something ? Any pointers please ??

Looks like you are missing

osquery_result_log_plugin

and

osquery_status_log_plugin

as documented in https://github.com/fleetdm/fleet/blob/master/docs/infrastructure/working-with-osquery-logs.md#osquery-logging-plugins.