(Jake Smith) #1

Hi All,

I was just wondering if this was possible.

  1. We install osquery on endpoints
  2. We use Filebeat to monitor the osquery results file. Each time an automated query is undertaken then file beat ships the results in JSON form to Graylog.
  3. On the Graylog side, we use the ‘Elastic Beats Input Plugin’ to provide inputs for filebeat data from Osquery?

(Jan Doberstein) #2

@Magneton you could add a json extractor to create single fields out of the message to be able to search more efficient.

(Jake Smith) #3

Ok cool, thanks for the information.

