@seph Hi, do you know if there any example configurations for remote syslog ? I mean forwarding results to

<ip>:<port>

syslog server, or posix domain, whatever works

I’m not sure osquery support forwarding to a remote syslog. I don’t see mention of it in the docs.

Syslog clients usually support writing into POSIX socket. Is it possible configure osquery to write into a socket?

I’m not sure how it’s implemented. You’d need to check the source.

Ok maybe you know if it's possible to configure https log sender using self-signed certs ?

Depends a bit on what you mean… I think the normal loggers osquery ships are local syslog, files, and kafka. Then there’s the remote TLS server. TLS logging is part of that, it might work without the rest of the tls stuff, I have no idea. You’d have to test it, or try to read the code. There is an option for client certs.

thanks alot

HTTPS definitely supports self-signed certs. You need to configure

--tls_server_certs

As I understood server must support authentication mechanism, so I'll either will need server which supports this kind of negotiation

Yes, that is true.

For that to work I need to set a socket path or an address:port pair, and I can't find proper settings

I think osquery logs to your local syslog and then you set up forwarding within syslog?

in such case how that'll work if I have two logging plugins set ? like "filesystem,syslog"

I believe you can use

logger_path

to set the

filesystem

logging path and then

syslog

will log to the local syslog.

Thanks, I will try that

Good luck! Let us know if it works 🙂

Ok thanks again.