Hello! Enabled audit logging on Fleet version 4.26. We are using firehose to send to an S3 bucket. The permissions we have for the audit logs are identical to the status and results logs that work and we are getting logs for. I enabled audit logging and the audit log plugin set it to firehose but not getting anything. I tried logging in and I see other activities to generate data. No, terraform errors either. Are there any other environment variables that would need to be set?

Hi @Arsenio! How long ago did you enable audit logging? There is a slight delay between an action and the logs showing up. Here are all of the settings needed for audit logging: • Base Firehose settings (would already be set if you were sending results or status logs before) • Activity log settings: ◦ Enable audit log ◦ Audit log plugin ◦ Audit log stream

we enabled a few hours ago. i did notice a variable for FLEET_FIREHOSE_STS_ASSUME_ROLE_ARN, which we don't have but the status and result logs do come in without it enabled

Also note that audit logging is a Fleet Premium feature, are you using the Community edition or have you purchased a Fleet license?

ah yes we are on the freeium edition lol. thank you @Kathy Satterlee!

Gotcha. the Activities API is available and has all of the same data. You could definitely set something up using that to keep an eye on things. :) If you want to chat with someone about moving to Premium, just let me know!

@Kathy Satterlee Is the use of the Query logs also a Fleet Premium feature or is it just the activity logs? We are looking at sending the query logs from Fleet Community to Kinesis Data Firehose and on wards to a MongoDB database.

Just the activity logs. Result logs can be forwarded.

Ok and to send the activity logs- YAML would look something like this?

osquery:
  osquery_status_log_plugin: firehose
  osquery_result_log_plugin: firehose

logging:
  statusPlugin: firehose
  resultPlugin: firehose
  
  firehose:
    region: "AWS_REGION"
    accessKeyID: "FIREHOSE_ACCESS_KEY"
    secretKey: FIREHOSE_SECRET_KEY

Or do we also need to include

stsAssumeRoleARN, statusStream

and

resultStream

You shouldn’t need the STS role since you’re including the key and secret. You do need the result and status streams.

Is there anywhere else we need to update the code to get results logs sent to firehose beside what I have mentioned above? Have you some example terraform for Firehose perhaps? We have just created a AWS user with below permissions policy to our specific delivery stream in staging environments:

"Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "firehose:DeleteDeliveryStream",
                "firehose:PutRecord",
                "firehose:PutRecordBatch",
                "firehose:UpdateDestination"

Hi @John Healy! Here's an answer from our infrastructure team:

https://github.com/fleetdm/fleet/blob/main/terraform/addons/logging-destination-firehose/main.tf is a complete firehose-to-s3 example for use with the Fleet terraform module that Zach wrote and we have been extending over time.

Thanks @Lucas Rodriguez We just need to get the data from fleet in to Firehose. We have tested already from Firehose to our onward destination(MongoDB) and it is working. So we just need to edit your example above? Also, is there there anywhere else we need to update the code to get results logs sent to firehose beside what I have mentioned above?

So we just need to edit your example above?

Yes. Here's a sample YAML with all the values needed: https://fleetdm.com/docs/deploying/configuration#example-yaml11