just saw kolide a few days ago and set up a server yesterday

Question

just saw kolide a few days ago and set up a server yesterday with two nodes had a noob question about the data model Can it be configured so that data is searched at the endpoint for some nodes and then other nodes forward data to the fleet server to be searched there

sundsta · Answer

What is `node` in this scenario A server running Fleet or an endpoint running osqueryd

Abraxas · Answer

endpoint running osqueryd

Abraxas · Answer

right now only one fleet server

Abraxas · Answer

storage is a bit tight here so being able to leverage the endpoints would be cool slightly smiling face

sundsta · Answer

The queries run on the endpoint and the results are shipped to Fleet You can filter what endpoints run what queries using labels

sundsta · Answer

and endpoints can have labels automatically applied to them by the results of queries

Abraxas · Answer

sweet thank you for clarifying that

seph · Answer

It is not built the way you re asking Fleet and osquery aren t a distributed system like that Fleet gathers information and then works with it locally You can forward logs from fleet to something like ELK if that s your direction

Abraxas · Answer

thanks < sundsta> and < seph>