Channels
  • a

    Artem

    1 year ago
    Hello! Is it possible in the future to bring the Fleet result logs in accordance with the ECS (https://www.elastic.co/guide/en/ecs/current/ecs-reference.html) out of box? Or maybe it is possible to do it now? It may be reasonable for easier and faster integration of osquery/fleet with elastic security (siem) module.
  • Gavin

    Gavin

    1 year ago
    Please take a look at the following issue https://github.com/elastic/beats/issues/21010 The issue is with the way the beat shipper operates all fills additional meta-data from the host. It’s possible right now if you wrangle your beats shipper config.
    filebeat.inputs:
      - type: log
        enabled: true
        paths:
          - /var/log/osqueryd.results.log
        json.keys_under_root: true
        fields_under_root: true
        publisher_pipeline.disable_host: true
    
    filebeat.config.modules:
      # Glob pattern for configuration loading
      path: ${path.config}/modules.d/*.yml
      # Set to true to enable config reloading
      reload.enabled: false
      # Period on which files under path should be checked for changes
      # reload.period: 10s

    The assumption here is you run the latest beats agent either as a sidecar or on the host you’re running kolide fleet and shipping from the file system
    publisher_pipeline.disable_host: true
    is a beats config to not try and fill in additional ECS metadata from the beats agent vs the original log source.
    Note the issue was raised for discussion as the Beats team were not keen to accept any changes at this time as they’re working on Osquery support for their SIEM produce vs raising a direct PR