fleet/docs/1-Using-Fleet/4-Osquery-logs.md

# Osquery Logs
- [Osquery logging plugins](#osquery-logging-plugins)
  - [Filesystem](#filesystem)
  - [Firehose](#firehose)
  - [Kinesis](#kinesis)
  - [PubSub](#pubsub)
  - [Stdout](#stdout)

Osquery agents are typically configured to send logs to the Fleet server (`--logger_plugin=tls`). This is not a requirement, and any other logger plugin can be used even when osquery clients are connecting to the Fleet server to retrieve configuration or run live queries. See the [osquery logging documentation](https://osquery.readthedocs.io/en/stable/deployment/logging/) for more about configuring logging on the agent.

If `--logger_plugin=tls` is used with osquery clients, the following configuration can be applied on the Fleet server for handling the incoming logs.

## Osquery logging plugins

Fleet supports the following logging plugins for osquery logs:

- [Filesystem](#filesystem) - Logs are written to the local Fleet server filesystem.
- [Firehose](#firehose) - Logs are written to AWS Firehose streams.
- [Kinesis](#kinesis) - Logs are written to AWS Kinesis streams.
- [PubSub](#pubsub) - Logs are written to Google Cloud PubSub topics.
- [Stdout](#stdout) - Logs are written to stdout.

To set the osquery logging plugins, use the `--osquery_result_log_plugin` and `--osquery_status_log_plugin` flags (or [equivalents for environment variables or configuration files](../2-Deployment/2-Configuration.md#options)).

### Filesystem

The default logging plugin.

- Plugin name: `filesystem`
- Flag namespace: [filesystem](../2-Deployment/2-Configuration.md#filesystem)

With the filesystem plugin, osquery result and/or status logs are written to the local filesystem on the Fleet server. This is typically used with a log forwarding agent on the Fleet server that will push the logs into a logging pipeline. Note that if multiple load-balanced Fleet servers are used, the logs will be load-balanced across those servers (not duplicated).

### Firehose

- Plugin name: `firehose`
- Flag namespace: [firehose](../2-Deployment/2-Configuration.md#firehose)

With the Firehose plugin, osquery result and/or status logs are written to [AWS Firehose](https://aws.amazon.com/kinesis/data-firehose/) streams. This is a very good method for aggregating osquery logs into AWS S3 storage.

Note that Firehose logging has limits [discussed in the documentation](https://docs.aws.amazon.com/firehose/latest/dev/limits.html). When Fleet encounters logs that are too big for Firehose, notifications will be output in the Fleet logs and those logs _will not_ be sent to Firehose.

### Kinesis

- Plugin name: `kinesis`
- Flag namespace: [kinesis](../2-Deployment/2-Configuration.md#kinesis)

With the Kinesis plugin, osquery result and/or status logs are written to
[AWS Kinesis](https://aws.amazon.com/kinesis/data-streams) streams.

Note that Kinesis logging has limits [discussed in the
documentation](https://docs.aws.amazon.com/kinesis/latest/dev/limits.html).
When Fleet encounters logs that are too big for Kinesis, notifications will be
output in the Fleet logs and those logs _will not_ be sent to Kinesis.

### PubSub

- Plugin name: `pubsub`
- Flag namespace: [pubsub](../2-Deployment/2-Configuration.md#pubsub)

With the PubSub plugin, osquery result and/or status logs are written to [PubSub](https://cloud.google.com/pubsub/) topics.

Note that messages over 10MB will be dropped, with a notification sent to the fleet logs, as these can never be processed by PubSub.

### Stdout

- Plugin name: `stdout`
- Flag namespace: [stdout](../2-Deployment/2-Configuration.md#stdout)

With the stdout plugin, osquery result and/or status logs are written to stdout
on the Fleet server. This is typically used for debugging or with a log
forwarding setup that will capture and forward stdout logs into a logging
pipeline. Note that if multiple load-balanced Fleet servers are used, the logs
will be load-balanced across those servers (not duplicated).
Part 2 of documentation restructure. Using Fleet section. (#148) This PR includes the Using Fleet section of the documentation restructure #144. It shouldn't be merged until changes are approved for the entire restructuring (part 1, part 2, and part 3). Update the naming convention for the files to number prefixes. 2020-12-24 22:12:44 +00:00			`# Osquery Logs`
			`- [Osquery logging plugins](#osquery-logging-plugins)`
			`- [Filesystem](#filesystem)`
			`- [Firehose](#firehose)`
			`- [Kinesis](#kinesis)`
			`- [PubSub](#pubsub)`
			`- [Stdout](#stdout)`

			Osquery agents are typically configured to send logs to the Fleet server (`--logger_plugin=tls`). This is not a requirement, and any other logger plugin can be used even when osquery clients are connecting to the Fleet server to retrieve configuration or run live queries. See the [osquery logging documentation](https://osquery.readthedocs.io/en/stable/deployment/logging/) for more about configuring logging on the agent.

			If `--logger_plugin=tls` is used with osquery clients, the following configuration can be applied on the Fleet server for handling the incoming logs.

			`## Osquery logging plugins`

			`Fleet supports the following logging plugins for osquery logs:`

			`- [Filesystem](#filesystem) - Logs are written to the local Fleet server filesystem.`
			`- [Firehose](#firehose) - Logs are written to AWS Firehose streams.`
			`- [Kinesis](#kinesis) - Logs are written to AWS Kinesis streams.`
			`- [PubSub](#pubsub) - Logs are written to Google Cloud PubSub topics.`
			`- [Stdout](#stdout) - Logs are written to stdout.`

Fix markdown link check CI action. (#169) - Split the array of objects to separate objects for each pattern in ignorePatterns. Rename the key in each object to "pattern." The documentation for the example config file is poor. - Add hello@fleetdm.com and /server/datastore/mysql/migrations/ to ignorePatterns - Add 999 to aliveStatucCodes (Seems to be a LinkedIn edge case) - Fix all broken markdown links 2021-01-04 21:55:05 +00:00			To set the osquery logging plugins, use the `--osquery_result_log_plugin` and `--osquery_status_log_plugin` flags (or [equivalents for environment variables or configuration files](../2-Deployment/2-Configuration.md#options)).
Part 2 of documentation restructure. Using Fleet section. (#148) This PR includes the Using Fleet section of the documentation restructure #144. It shouldn't be merged until changes are approved for the entire restructuring (part 1, part 2, and part 3). Update the naming convention for the files to number prefixes. 2020-12-24 22:12:44 +00:00
			`### Filesystem`

			`The default logging plugin.`

			- Plugin name: `filesystem`
Fix markdown link check CI action. (#169) - Split the array of objects to separate objects for each pattern in ignorePatterns. Rename the key in each object to "pattern." The documentation for the example config file is poor. - Add hello@fleetdm.com and /server/datastore/mysql/migrations/ to ignorePatterns - Add 999 to aliveStatucCodes (Seems to be a LinkedIn edge case) - Fix all broken markdown links 2021-01-04 21:55:05 +00:00			`- Flag namespace: [filesystem](../2-Deployment/2-Configuration.md#filesystem)`
Part 2 of documentation restructure. Using Fleet section. (#148) This PR includes the Using Fleet section of the documentation restructure #144. It shouldn't be merged until changes are approved for the entire restructuring (part 1, part 2, and part 3). Update the naming convention for the files to number prefixes. 2020-12-24 22:12:44 +00:00
			`With the filesystem plugin, osquery result and/or status logs are written to the local filesystem on the Fleet server. This is typically used with a log forwarding agent on the Fleet server that will push the logs into a logging pipeline. Note that if multiple load-balanced Fleet servers are used, the logs will be load-balanced across those servers (not duplicated).`

			`### Firehose`

			- Plugin name: `firehose`
Fix markdown link check CI action. (#169) - Split the array of objects to separate objects for each pattern in ignorePatterns. Rename the key in each object to "pattern." The documentation for the example config file is poor. - Add hello@fleetdm.com and /server/datastore/mysql/migrations/ to ignorePatterns - Add 999 to aliveStatucCodes (Seems to be a LinkedIn edge case) - Fix all broken markdown links 2021-01-04 21:55:05 +00:00			`- Flag namespace: [firehose](../2-Deployment/2-Configuration.md#firehose)`
Part 2 of documentation restructure. Using Fleet section. (#148) This PR includes the Using Fleet section of the documentation restructure #144. It shouldn't be merged until changes are approved for the entire restructuring (part 1, part 2, and part 3). Update the naming convention for the files to number prefixes. 2020-12-24 22:12:44 +00:00
			`With the Firehose plugin, osquery result and/or status logs are written to [AWS Firehose](https://aws.amazon.com/kinesis/data-firehose/) streams. This is a very good method for aggregating osquery logs into AWS S3 storage.`

			`Note that Firehose logging has limits [discussed in the documentation](https://docs.aws.amazon.com/firehose/latest/dev/limits.html). When Fleet encounters logs that are too big for Firehose, notifications will be output in the Fleet logs and those logs _will not_ be sent to Firehose.`

			`### Kinesis`

			- Plugin name: `kinesis`
Fix markdown link check CI action. (#169) - Split the array of objects to separate objects for each pattern in ignorePatterns. Rename the key in each object to "pattern." The documentation for the example config file is poor. - Add hello@fleetdm.com and /server/datastore/mysql/migrations/ to ignorePatterns - Add 999 to aliveStatucCodes (Seems to be a LinkedIn edge case) - Fix all broken markdown links 2021-01-04 21:55:05 +00:00			`- Flag namespace: [kinesis](../2-Deployment/2-Configuration.md#kinesis)`
Part 2 of documentation restructure. Using Fleet section. (#148) This PR includes the Using Fleet section of the documentation restructure #144. It shouldn't be merged until changes are approved for the entire restructuring (part 1, part 2, and part 3). Update the naming convention for the files to number prefixes. 2020-12-24 22:12:44 +00:00
			`With the Kinesis plugin, osquery result and/or status logs are written to`
			`[AWS Kinesis](https://aws.amazon.com/kinesis/data-streams) streams.`

			`Note that Kinesis logging has limits [discussed in the`
			`documentation](https://docs.aws.amazon.com/kinesis/latest/dev/limits.html).`
			`When Fleet encounters logs that are too big for Kinesis, notifications will be`
			`output in the Fleet logs and those logs _will not_ be sent to Kinesis.`

			`### PubSub`

			- Plugin name: `pubsub`
Fix markdown link check CI action. (#169) - Split the array of objects to separate objects for each pattern in ignorePatterns. Rename the key in each object to "pattern." The documentation for the example config file is poor. - Add hello@fleetdm.com and /server/datastore/mysql/migrations/ to ignorePatterns - Add 999 to aliveStatucCodes (Seems to be a LinkedIn edge case) - Fix all broken markdown links 2021-01-04 21:55:05 +00:00			`- Flag namespace: [pubsub](../2-Deployment/2-Configuration.md#pubsub)`
Part 2 of documentation restructure. Using Fleet section. (#148) This PR includes the Using Fleet section of the documentation restructure #144. It shouldn't be merged until changes are approved for the entire restructuring (part 1, part 2, and part 3). Update the naming convention for the files to number prefixes. 2020-12-24 22:12:44 +00:00
			`With the PubSub plugin, osquery result and/or status logs are written to [PubSub](https://cloud.google.com/pubsub/) topics.`

			`Note that messages over 10MB will be dropped, with a notification sent to the fleet logs, as these can never be processed by PubSub.`

			`### Stdout`

			- Plugin name: `stdout`
Fix markdown link check CI action. (#169) - Split the array of objects to separate objects for each pattern in ignorePatterns. Rename the key in each object to "pattern." The documentation for the example config file is poor. - Add hello@fleetdm.com and /server/datastore/mysql/migrations/ to ignorePatterns - Add 999 to aliveStatucCodes (Seems to be a LinkedIn edge case) - Fix all broken markdown links 2021-01-04 21:55:05 +00:00			`- Flag namespace: [stdout](../2-Deployment/2-Configuration.md#stdout)`
Part 2 of documentation restructure. Using Fleet section. (#148) This PR includes the Using Fleet section of the documentation restructure #144. It shouldn't be merged until changes are approved for the entire restructuring (part 1, part 2, and part 3). Update the naming convention for the files to number prefixes. 2020-12-24 22:12:44 +00:00
			`With the stdout plugin, osquery result and/or status logs are written to stdout`
			`on the Fleet server. This is typically used for debugging or with a log`
			`forwarding setup that will capture and forward stdout logs into a logging`
			`pipeline. Note that if multiple load-balanced Fleet servers are used, the logs`
			`will be load-balanced across those servers (not duplicated).`