Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Does anyone know how much work it takes to build reporting into the OSS version of Kolide?

Assuming you are talking about Fleet... There is no reporting in Fleet. You would configure your logs to go into an aggregation system (Splunk, ELK, etc.) and then build reports there.

Yes, i was talking about fleet :) i was wondering, because the SAAS version has reporting as far as i can see

The SaaS is also not Fleet. Separate code base

Now ik even more confused.. and all i wanted was reporting :see_no_evil:

What does reporting mean to you?

Reporting is generally going to be some kind of server side storage/aggregation/reporting flow.

As folks have commented, the SaaS is a different codebase from Fleet.

yeah, and thats why i came here for help :wink: we are a small MSSP looking to use osquery for security analytics. much like uptycs and zercurity, they have logging and reporting, but they only offer SaaS or very expensive solutions. since we are targetting really small to small company's, we cant afford to ask them to pay hundreds of dollars a month. so i am basicly left with the option of looking into building it ourselves

We have looked into Wazuh for this. which is tightly integrated with ELK, but truth be told, im no fan of ELK.. that might be just me ofcourse :wink:

ELK is a solid option if you’re rolling your own solution. Alternatively, if you want to keep within the SQL ecosystem Postgres+TimescaleDB seems solid. There aren’t too many free and open source options in that space.

well Postgres sounds good! that i know :wink:

the problem with Wazuh/ELK for me is, that i cant seem to get it working.. and there are scaling issuesin the future that i worry about :slightly_smiling_face: and Kibana and me just dont seem to get along