https://github.com/osquery/osquery logo
Powered by
Title
j

jacknagz

03/05/2020, 4:25 PM
I have it configured, but it doesn’t seem to be sending data yet
z

zwass

03/06/2020, 8:21 PM
Can you try configuring filesystem logging and see if that works? Also follow the steps in the FAQ: https://github.com/kolide/fleet/blob/master/docs/infrastructure/faq.md#where-are-my-query-results
j

jacknagz

03/09/2020, 5:00 PM
so log the results locally instead of sending to TLS?
z

zwass

03/09/2020, 5:07 PM
No log the results to the filesystem on the Fleet server so you can verify if they are making it that far.
j

jacknagz

03/09/2020, 5:10 PM
How could I verify? It’s an ECS container
(via fargate)
z

zwass

03/10/2020, 4:45 PM
Mount a volume?
If that seems difficult, have you used 
--tls_dump
to verify that osquery is sending data over to the Fleet instance? Are you able to see responses to those log requests? Are there errors in the Fleet logs?
j

jacknagz

03/11/2020, 11:21 PM
I think I know why it’s erroring
The ECS role needs DescribeDeliveryStream permissions
https://github.com/kolide/fleet/blob/master/server/logging/firehose.go#L65-L80
z

zwass

03/11/2020, 11:22 PM
Yeah the code wants to ensure that the stream exists before starting up successfully. Was there not an error message output about this?
j

jacknagz

03/11/2020, 11:25 PM
I wasn’t able to login and check, but I had an epiphany earlier today about this
going to deploy and see if it’s working
if there was a way in the UI to see this stuff it’d be super helpful
or does it write these logs out to CloudWatch?
z

zwass

03/11/2020, 11:26 PM
If it's not logging to stderr (therefore cloudwatch in your case) about this, please file an issue.
👍 1
j

jacknagz

03/12/2020, 6:31 PM
Do I need to specify 
firehose
in my 
options.yml
? for result logs? https://github.com/kolide/fleet/blob/master/server/logging/logging.go#L62
z

zwass

03/12/2020, 6:36 PM
Yeah, have you taken a look at https://github.com/kolide/fleet/blob/master/docs/infrastructure/working-with-osquery-logs.md?
j

jacknagz

03/12/2020, 8:06 PM
I was looking at https://github.com/kolide/fleet/blob/master/docs/infrastructure/configuring-the-fleet-binary.md
but was confused about the 
options
I specify with fleetctl vs the ENV variables I set on the container
my options look something like: 
apiVersion: v1
kind: options
spec:
  config:
    decorators:
      load:
        - SELECT uuid AS host_uuid FROM system_info;
        - SELECT hostname AS hostname FROM system_info;
    options:
      disable_distributed: false
      distributed_interval: 10
      distributed_plugin: tls
      distributed_tls_max_attempts: 3
      logger_plugin: tls
      logger_tls_endpoint: /api/v1/osquery/log
      logger_tls_period: 10
      pack_delimiter: /
  overrides: {}
so if I’m understanding correctly, I can set env variables, or can just add this to the top level and apply the config:
osquery:
 	status_log_plugin: firehose
is that correct?
system_info -> options is only for the systems sending data to fleet?
z

zwass

03/12/2020, 9:17 PM
The options set in fleetctl are sent to the osquery agent as configuration (along with queries in packs). The configuration in the docs you are looking at is set in env vars, flags, or config file for the Fleet server.
2 Views
#kolideJoin Slack
Powered by