Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
a
Abraxas
08/20/2019, 4:19 PMjust saw kolide a few days ago and set up a server yesterday with two nodes - had a noob question about the data model: Can it be configured so that data is searched at the endpoint for some nodes and then other nodes forward data to the fleet server to be searched there?
s
sundsta
08/20/2019, 4:21 PMWhat is
nodea
Abraxas
08/20/2019, 4:22 PMendpoint running osqueryd
right now, only one fleet server
storage is a bit tight here so being able to leverage the endpoints would be cool 🙂
s
sundsta
08/20/2019, 4:24 PMThe queries run on the endpoint and the results are shipped to Fleet. You can filter what endpoints run what queries using labels.
and endpoints can have labels automatically applied to them by the results of queries
a
Abraxas
08/20/2019, 4:24 PMsweet, thank you for clarifying that!
s
seph
08/20/2019, 4:24 PMIt is not built the way you’re asking. Fleet (and osquery) aren’t a distributed system like that. Fleet gathers information, and then works with it locally. You can forward logs from fleet to something like ELK if that’s your direction
a
Abraxas
08/20/2019, 4:25 PMthanks @sundsta and @seph