Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

I have it configured, but it doesn’t seem to be sending data yet

Can you try configuring filesystem logging and see if that works? Also follow the steps in the FAQ: <https://github.com/kolide/fleet/blob/master/docs/infrastructure/faq.md#where-are-my-query-results>

so log the results locally instead of sending to TLS?

No log the results to the filesystem on the Fleet server so you can verify if they are making it that far.

How could I verify? It’s an ECS container

If that seems difficult, have you used `--tls_dump` to verify that osquery is sending data over to the Fleet instance? Are you able to see responses to those log requests? Are there errors in the Fleet logs?

The ECS role needs DescribeDeliveryStream permissions

<https://github.com/kolide/fleet/blob/master/server/logging/firehose.go#L65-L80>

Yeah the code wants to ensure that the stream exists before starting up successfully. Was there not an error message output about this?

I wasn’t able to login and check, but I had an epiphany earlier today about this

going to deploy and see if it’s working

if there was a way in the UI to see this stuff it’d be super helpful

or does it write these logs out to CloudWatch?

If it's not logging to stderr (therefore cloudwatch in your case) about this, please file an issue.

Do I need to specify `firehose` in my `options.yml`? for result logs? <https://github.com/kolide/fleet/blob/master/server/logging/logging.go#L62>

Yeah, have you taken a look at <https://github.com/kolide/fleet/blob/master/docs/infrastructure/working-with-osquery-logs.md>?

I was looking at <https://github.com/kolide/fleet/blob/master/docs/infrastructure/configuring-the-fleet-binary.md>

but was confused about the `options` I specify with fleetctl vs the ENV variables I set on the container

my options look something like:
```apiVersion: v1
kind: options
spec:
  config:
    decorators:
      load:
        - SELECT uuid AS host_uuid FROM system_info;
        - SELECT hostname AS hostname FROM system_info;
    options:
      disable_distributed: false
      distributed_interval: 10
      distributed_plugin: tls
      distributed_tls_max_attempts: 3
      logger_plugin: tls
      logger_tls_endpoint: /api/v1/osquery/log
      logger_tls_period: 10
      pack_delimiter: /
  overrides: {}```

so if I’m understanding correctly, I can set env variables, or can just add this to the top level and apply the config:

``` osquery:
 	status_log_plugin: firehose```

system_info -&gt; options is only for the systems sending data to fleet?

The options set in fleetctl are sent to the osquery agent as configuration (along with queries in packs). The configuration in the docs you are looking at is set in env vars, flags, or config file for the Fleet server.