Send a (/var/log) directory listing to Fleet and display it on the Agent status page

[zez3]

Sometimes we need to gather more logs from our installed Agents but in the blind we are not always sure what is relevant and what not. The team that manages Elastic Stack does not always have access to the hosts where the Agents are running. The system owner or sysadmin use sssd or sometimes they use shibolet for authentication of other different services. For security reasons we need to gather all relevant logs. When we configure the Agent Integrations we would like to have a bit of visibility from the Agent beforehand.

It would be ideal to send a directory listing to Fleet and display it on the Agent status page, e.g. /var/log. Could also be a list of directories. Default: []

On our former log storage solution we've had an Agent config flag that could have been set: list_log_files:

• /var/log

We request something similar in Fleet and in the Agent configuration.

Extra nice perks: Recently modified files where highlighted in a different color. To help even more on identifying active logs. I'm thinking this could be pushed with the "Last activity" or health status

This used to look like this:

[zez3]

@joshdover What do you think?

[111andre111]

You could use OSQuery for that as well: SELECT path FROM file WHERE path LIKE '/var/log/%%';

[joshdover]

@zez3 Definitely agree this would be helpful. We've been discussing expanding another "shell" UI that's being added to add a ls command for finding files on a host.