Good morning everyone, hope you are enjoying this beautiful Friday! I have a Kolide Fleet stack running on AWS on an ECS. The server is configured to send log results to a Firehose Kinesis. I want to disable the Firehose plugin and drop the Firehose stack (trying to drop any result logging output from the server). I wonder if we drop the Firehose service on AWS, does the Fleet server will store/cache the results if the Firehose does not exists? I don’t want to store neither cache anything, just disable log results publishing from the server. Or maybe, what would be the right flag/plugin to set in order to disable any log being published from the Fleet server?

iirc, if you don't configure a logger, it'll default to

filesystem

in this case would be whatever you configured your ECS containers to log to (Cloudwatch Logs, most typically).

Question would be then, can I change this flag without having to redeploy the entire server stack, mean on runtime?

--osquery_result_log_plugin

like by using

fleetctl

or something?

¯\_(ツ)_/¯

:this_is_fine:

If Fleet can’t connect to the firehose plugin, it would just error and not log anything

Amazing! Thanks for your help!!