https://github.com/osquery/osquery logo
Join Slack
Powered by
Good morning everyone, hope you are enjoying this ...
# kolide
j
Good morning everyone, hope you are enjoying this beautiful Friday! I have a Kolide Fleet stack running on AWS on an ECS. The server is configured to send log results to a Firehose Kinesis. I want to disable the Firehose plugin and drop the Firehose stack (trying to drop any result logging output from the server). I wonder if we drop the Firehose service on AWS, does the Fleet server will store/cache the results if the Firehose does not exists? I don’t want to store neither cache anything, just disable log results publishing from the server. Or maybe, what would be the right flag/plugin to set in order to disable any log being published from the Fleet server?
z
iirc, if you don't configure a logger, it'll default to 
filesystem
in this case would be whatever you configured your ECS containers to log to (Cloudwatch Logs, most typically).
j
Question would be then, can I change this flag without having to redeploy the entire server stack, mean on runtime? 
--osquery_result_log_plugin
like by using 
fleetctl
or something?
z
¯\_(ツ)_/¯
j
this is fine
So going back to my original question, if Fleet cant find/connect to the Firehose stream specified, where are all the logs going?
I know there is an env var called 
KOLIDE_OSQUERY_RESULT_LOG_PLUGIN
. Changing that env var would be enough?
s
If Fleet can’t connect to the firehose plugin, it would just error and not log anything
git push 1
The result plugin can be specified in the configuration file, env vars, or CLI flags. https://github.com/kolide/fleet/blob/master/docs/infrastructure/configuring-the-fleet-binary.md#how-do-you-specify-options. You can’t (or at least shouldn’t) set any of these options in more than one way
j
Amazing! Thanks for your help!!
6 Views
Open in Slack
PreviousNext
Powered by