However, as soon as you start talking production deployments, things get a little more tricky. Osquery is incredibly powerful and getting started can seem That’s what this series of blog posts is for. Osquery sounds really awesome and you’re ready to go hog-wild. They’ve used it to solve world hunger in their new fancy startup. You can use it to make one-off queries or combine it with a log analysis app for a comprehensive threat-monitoring system.Ok, so you’ve done some quick reading or perhaps someone told you about how friggin awesome osquery is and how Now you can forward the results logs to any external application (e.g., Zentral or Elasticsearch ) for log analysis and alert generation.Īs you can see, osquery is a powerful tool that's useful for investigating a single or multiple systems using the simple SQL syntax. You can, however, use the tail command to stream the last 10 lines of the file continuously to your screen: $ sudo tail -f /var/log/osquery/ Unfortunately, osquery does not have an alerting facility, so you can't see the results of scheduled queries unless you view the results file. The results will start showing up as soon as the scheduled queries and packs are run. Now that you have a valid configuration, you can start osqueryd with either the systemctl or osqueryctl helper script, such as: $ sudo osqueryctl startĪs soon as the daemon comes to life, it will create the /var/log/osquery/ file to store the generated results. This command will display all scheduled queries, including those from the packs. If you want to see all of the queries that are scheduled to run from the config, use: SELECT name FROM osquery_schedule If you close them early, osqueryctl will not give any errors, but the config file won't function properly. Make sure there aren't any errors and double-check to make sure all open fences are closed at the right spot. When you're done, save and close the file and validate it with the command sudo osqueryctl config-check It's a good idea to scan the queries inside packs that you want to use because you might want to change the interval at which a query runs or perhaps even disable some that aren't applicable to your machines. If you want to view or change the queries that will be running from the packs, you'll find them under the /var/osquery/packs directory. Think of them as software libraries that you've just imported into the configuration file. Query packs are JSON files that contain additional queries. Although I've added just one query to my configuration file (line 12), I have also included three query packs (lines 17-19). Booster Packsīesides the options, I've also added a query to the configuration. Lastly, the schedule_splay_percent option ensures that queries inadvertently scheduled to run after the same intervals don't clash with each other by adjusting their schedules by 10 percent. Related to it is the disable_logging=false option, which asks the daemon to log its activity, and the logger_path option, which specifies the location of the log. Similarly, logger_plugin=filesystem asks it to write the logs to the filesystem. The config_plugin=filesystem option asks the daemon to retrieve the configuration file from the disk. Using hostname simply inserts the hostname of the computer on which the daemon is running. The host_identifier field is used to identify the host running osquery in the logs. I've used several options in the configuration file. At the bottom is a list of query packs that contains more specific queries. At the top is the list of daemon options and settings read by both osqueryi and osqueryd, followed by a list of scheduled queries and when they should run. The configuration file is divided into three sections, as shown in Listing 1. You can find the complete list of options and settings in the osquery wiki. The sample file is commented out by default, and you can uncomment the options you want to enable. The configuration file uses the JSON format. Instead, you can copy the sample configuration file that's available in /usr/share/osquery/. The tool looks for the configuration file at /etc/osquery/nf, but it does not ship with one. Instead of having to pass a lot of command-line options, osqueryi can read those options from a configuration file. For that, it requires a configuration file.Ĭreating a configuration file also makes it easier to run osqueryi. Although osqueryd is installed along with osqueryi, it's not enabled by default. It sits in the background and executes scheduled queries. The other important component of the utility is the osquery daemon, or osqueryd.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |