Good morning everyone hope you are enjoying this beautiful F

Question

Good morning everyone hope you are enjoying this beautiful Friday I have a Kolide Fleet stack running on AWS on an ECS The server is configured to send log results to a Firehose Kinesis I want to disable the Firehose plugin and drop the Firehose stack trying to drop any result logging output from the server I wonder if we drop the Firehose service on AWS does the Fleet server will store cache the results if the Firehose does not exists I don t want to store neither cache anything just disable log results publishing from the server Or maybe what would be the right flag plugin to set in order to disable any log being published from the Fleet server

Zach Zeid · Answer

iirc if you don t configure a logger it ll default to `filesystem` in this case would be whatever you configured your ECS containers to log to Cloudwatch Logs most typically

Julian Scala · Answer

Question would be then can I change this flag without having to redeploy the entire server stack mean on runtime ` osquery result log plugin` like by using `fleetctl` or something

Zach Zeid · Answer

ツ

Julian Scala · Answer

this is fine

Julian Scala · Answer

So going back to my original question if Fleet cant find connect to the Firehose stream specified where are all the logs going

Julian Scala · Answer

I know there is an env var called `KOLIDE OSQUERY RESULT LOG PLUGIN` Changing that env var would be enough

sundsta · Answer

If Fleet can t connect to the firehose plugin it would just error and not log anything

sundsta · Answer

The result plugin can be specified in the configuration file env vars or CLI flags <https github com kolide fleet blob master docs infrastructure configuring the fleet binary md how do you specify options> You can t or at least shouldn t set any of these options in more than one way

Julian Scala · Answer

Amazing Thanks for your help