https://github.com/osquery/osquery logo
#kolide
Title
# kolide
d

Dan Achin

11/03/2020, 8:33 PM
Anyone know if Fleet audit logs for admin actions? I can see a lot of client access in the nginx logs, but not finding anything for the UI or any actions performed there. I'm guessing that changes made like new users, or updates to packs are logged in the DB. Is that right?
z

zwass

11/03/2020, 8:35 PM
Those things are logged to stderr
d

Dan Achin

11/03/2020, 9:29 PM
ok, thanks!
that seems like an odd play to write those kinds of messages. any insight into why stderr was chosen?
z

zwass

11/03/2020, 10:12 PM
Originally there was logging for every endpoint on stderr as is common with HTTP servers. That logging was very verbose and most folks seemed to want to use it as more of an audit log. Now most of it is hidden unless
logging_debug
flag is set.
d

Dan Achin

11/03/2020, 10:37 PM
got it, thanks. I see that here - https://github.com/kolide/fleet/blob/master/docs/infrastructure/configuring-the-fleet-binary.md I don't see where that will redirect the logs to though
2 Views