Hi, I am using filebeat to collect osquery snapshot log /var/log/osquery/osqueryd.snapshots.log.
Do I need to add above path to paths setting?
Currently it only contains /var/log/osquery/osqueryd.results.log
Are you collecting the raw log as is or are you using a filebeat module? If both files have the same formatting, you can easily add both files to paths or use a glob.
I am using filebeat module. Both files are formated as json per line.
The problem is filebeat osquery module does not document if I need include
/var/log/osquery/osqueryd.snapshots.log in the paths config manually.
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths: ["/var/log/osquery/osqueryd.results.log*"]
So to ensure it works, I set the paths to
var.paths: ["/var/log/osquery/osqueryd.results.log*", "/var/log/osquery/osqueryd.snapshots.log*"]
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.