just saw kolide a few days ago and set up a server...
# kolidea
Abraxas
08/20/2019, 4:19 PMjust saw kolide a few days ago and set up a server yesterday with two nodes - had a noob question about the data model: Can it be configured so that data is searched at the endpoint for some nodes and then other nodes forward data to the fleet server to be searched there?
s
sundsta
08/20/2019, 4:21 PMWhat is
nodea
Abraxas
08/20/2019, 4:22 PMendpoint running osqueryd
Abraxas
08/20/2019, 4:22 PMright now, only one fleet server
Abraxas
08/20/2019, 4:22 PMstorage is a bit tight here so being able to leverage the endpoints would be cool 🙂
s
sundsta
08/20/2019, 4:24 PMThe queries run on the endpoint and the results are shipped to Fleet. You can filter what endpoints run what queries using labels.
sundsta
08/20/2019, 4:24 PMand endpoints can have labels automatically applied to them by the results of queries
a
Abraxas
08/20/2019, 4:24 PMsweet, thank you for clarifying that!
s
seph
08/20/2019, 4:24 PM
It is not built the way you’re asking. Fleet (and osquery) aren’t a distributed system like that. Fleet gathers information, and then works with it locally. You can forward logs from fleet to something like ELK if that’s your direction
a
Abraxas
08/20/2019, 4:25 PMthanks @sundsta and @seph