Channels
  • pvirani

    pvirani

    3 months ago
    Hey friends! For scheduled query results logging, is there a way to specify a destination Kinesis stream in a different AWS account than the one in which Fleet is running? (i.e. Fleet is running in accountA. My Destination Kinesis stream is in accountB)
  • Katheryn Satterlee

    Katheryn Satterlee

    3 months ago
    Hiya! You can send those logs to another account, just use the information for the destination you want to use for logging when configuring the plugin.
  • pvirani

    pvirani

    3 months ago
    - name: FLEET_OSQUERY_RESULT_LOG_PLUGIN
                  value: "firehose"
                - name: FLEET_FIREHOSE_REGION
                  value: "us-west-2"
                - name: FLEET_FIREHOSE_RESULT_STREAM
                  value: "p8t-osquery-stage-logs-es"
    This is what I've configured. There doesn't seem to be a way to specify that the RESULT_STREAM is in fact another account
    Fleet keeps searching for the stream inside the same account 🙂 and fails ofcourse
    tried changing the following
    FLEET_FIREHOSE_RESULT_STREAM
                  value: <ARN of the delivery stream in AccountB>
    but that doesn't work because the entire value just gets appended like so
    arn:aws:firehose:<region>:<AccountA>:deliverystream/<ARN of the delivery stream in AccountB>

    I'll just create the stream inside AccountA I guess and configure cross-account rules on my downstream destination instead ... but this cross-account Kinesis stream option would be nice to have for sure
  • Katheryn Satterlee

    Katheryn Satterlee

    3 months ago
    Sorry for any confusion there. I saw
    Kenesis
    , so I assumed that was your log destination plugin. Let me dig in to firehose.
    You can also set your
    firehose_access_key_id
    and
    firehose​_secret​_access​_key
    . The details for that are here: https://fleetdm.com/docs/deploying/configuration#firehose