https://github.com/osquery/osquery logo
#fleet
Title
# fleet
a

Arsenio

02/07/2023, 8:17 PM
Hello! Enabled audit logging on Fleet version 4.26. We are using firehose to send to an S3 bucket. The permissions we have for the audit logs are identical to the status and results logs that work and we are getting logs for. I enabled audit logging and the audit log plugin set it to firehose but not getting anything. I tried logging in and I see other activities to generate data. No, terraform errors either. Are there any other environment variables that would need to be set?
k

Kathy Satterlee

02/07/2023, 8:48 PM
Hi @Arsenio! How long ago did you enable audit logging? There is a slight delay between an action and the logs showing up. Here are all of the settings needed for audit logging: • Base Firehose settings (would already be set if you were sending results or status logs before) • Activity log settings: ◦ Enable audit logAudit log pluginAudit log stream
a

Arsenio

02/07/2023, 8:57 PM
we enabled a few hours ago. i did notice a variable for FLEET_FIREHOSE_STS_ASSUME_ROLE_ARN, which we don't have but the status and result logs do come in without it enabled
k

Kathy Satterlee

02/07/2023, 8:59 PM
Also note that audit logging is a Fleet Premium feature, are you using the Community edition or have you purchased a Fleet license?
Getting the documentation updated to make that a little more visible as well!
a

Arsenio

02/07/2023, 9:14 PM
ah yes we are on the freeium edition lol. thank you @Kathy Satterlee!
k

Kathy Satterlee

02/07/2023, 9:17 PM
Gotcha. the Activities API is available and has all of the same data. You could definitely set something up using that to keep an eye on things. :) If you want to chat with someone about moving to Premium, just let me know!
j

John Healy

03/13/2023, 3:39 PM
@Kathy Satterlee Is the use of the Query logs also a Fleet Premium feature or is it just the activity logs? We are looking at sending the query logs from Fleet Community to Kinesis Data Firehose and on wards to a MongoDB database.
k

Kathy Satterlee

03/13/2023, 3:40 PM
Just the activity logs. Result logs can be forwarded.
j

John Healy

03/13/2023, 3:53 PM
Ok and to send the activity logs- YAML would look something like this?
Copy code
osquery:
  osquery_status_log_plugin: firehose
  osquery_result_log_plugin: firehose

logging:
  statusPlugin: firehose
  resultPlugin: firehose
  
  firehose:
    region: "AWS_REGION"
    accessKeyID: "FIREHOSE_ACCESS_KEY"
    secretKey: FIREHOSE_SECRET_KEY
Or do we also need to include
stsAssumeRoleARN, statusStream
and
resultStream
k

Kathy Satterlee

03/13/2023, 3:58 PM
You shouldn’t need the STS role since you’re including the key and secret. You do need the result and status streams.
j

John Healy

03/14/2023, 9:38 AM
Is there anywhere else we need to update the code to get results logs sent to firehose beside what I have mentioned above? Have you some example terraform for Firehose perhaps? We have just created a AWS user with below permissions policy to our specific delivery stream in staging environments:
Copy code
"Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "firehose:DeleteDeliveryStream",
                "firehose:PutRecord",
                "firehose:PutRecordBatch",
                "firehose:UpdateDestination"
l

Lucas Rodriguez

03/14/2023, 4:44 PM
Hi @John Healy! Here's an answer from our infrastructure team:
https://github.com/fleetdm/fleet/blob/main/terraform/addons/logging-destination-firehose/main.tf is a complete firehose-to-s3 example for use with the Fleet terraform module that Zach wrote and we have been extending over time.
j

John Healy

03/15/2023, 10:04 AM
Thanks @Lucas Rodriguez We just need to get the data from fleet in to Firehose. We have tested already from Firehose to our onward destination(MongoDB) and it is working. So we just need to edit your example above? Also, is there there anywhere else we need to update the code to get results logs sent to firehose beside what I have mentioned above?
l

Lucas Rodriguez

03/15/2023, 2:29 PM
So we just need to edit your example above?
Yes. Here's a sample YAML with all the values needed: https://fleetdm.com/docs/deploying/configuration#example-yaml11
Also, is there there anywhere else we need to update the code to get results logs sent to firehose beside what I have mentioned above?
No. AFAICS that should be it.
3 Views