osquery

From Jamf to Chef, Part 2 – The Sea Change (and figuring out a few basics)

What I want,” Darren said, “is for everything, all configuration data, to be text files.”

To get the full effect of that sentence, you have to imagine it being said with a British accent, in a voice so low it often feels like he’s letting you in on a secret, and with pauses at least three seconds long in place of each of the commas.

Deploying Filebeat on macOS

Got a few questions about the way I’ve deployed Filebeat to transport OSQuery logs over the past few days, so I thought I’d do a quick writeup about it.

There are a few components to this.

  • Filebeat executable (the Darwin version)
  • filebeat.yml (config file to tell Filebeat where to deliver the logs to)
  • Certificates (for TLS transport, placed in your location of choice)
  • com.elastic.filebeat.plist (Launchd task to daemonize Filebeat)