https://github.com/osquery/osquery logo
Powered by
Title
a

asparamancer

08/13/2019, 5:18 PM
when you run a query or pack from fleet should it be logged in the normal osquery log (e.g. C:\ProgramData\osquery\log\osquery.results.log (or snapshots)) - or just on the fleet server
z

zwass

08/13/2019, 5:20 PM
This depends on how you configure osquery. The 
filesystem
logger plugin in osquery will continue to write to the local filesystem. The 
tls
plugin will write to Fleet. You can use both if you like.
a

asparamancer

08/13/2019, 5:21 PM
thanks, and is that just specified in the manage additional osquery options config page by adding filesystem to the logger_plugin option?
z

zwass

08/13/2019, 5:25 PM
Typically you would specify this in the config that Fleet sends down to osquery: https://github.com/kolide/fleet/blob/master/docs/cli/file-format.md#osquery-configuration-options
But you also have the option of continuing to use a filesystem config and just using Fleet for receiving logs and live queries.
a

asparamancer

08/13/2019, 5:53 PM
ah ok, so it's not possible to set logger_plugin here to 
tls,filesystem
2 Views
#kolideJoin Slack
Powered by