like how to distribute the config file and change it across the enterprise

@adel, speaking strictly for detecting vulnerable packages on linux (rpm, deb), OSquery allows you to query for package name version etc, which you’d have to compare against data from your feed. Package naming conventions are non standard and outlined here https://www.debian.org/doc/manuals/developers-reference/pkgs.html. Comparing packages is a bit challenging, but IMO, this python package does a reasonable job https://pypi.python.org/pypi/version_utils. In my case it worked for rpm and deb packages.

Hi @pleegor, I'm a co-founder of Kolide and I can provide a bit of perspective... osquery management tools such as those you mentioned can help extend the capabilities and ease the management of an osquery installation. Here are the major benefits we offer in Kolide right now. 1) Get a basic understanding of which hosts are running osquery, and their online status. With osquery by itself, you'd have to piece this sort of information together through your log aggregation system. 2) Live queries. Run osquery queries across your fleet instantly, and see aggregated results right in your web browser. This can be useful for hunting, incident response, or just iterating on queries that you intend to schedule. 3) Labels. Create dynamic groupings of hosts (by utilizing osquery queries), and target packs and live queries against these hosts. This can also be useful to create groupings of out of compliance hosts, for example. 4) Scheduling query packs. Update the queries in Kolide, and the osquery hosts will begin running them very soon after. Compare this with existing workflows: push changes to your configuration management system, and then manually (or probably also using whatever handles the configuration) restart the osquery agent on each host.

If you have osquery running on one machine and docker on that same machine, can you see processes running within the container utilizing osquery?

@zwass nice! I'll definitely give it a look. Thanks dude!

so for example, maybe i want to know about some set of data ASAP, but i only want that query to run once a week. normally i’d just set the interval to 604800, but then i would have to wait a week to get my initial set of results

Hey everyone, I was wondering, can I install/run osquery using Docker? If so, do I need to use e.g. privileged mode and / or mount any host directories on the container?

@isairamm you can just bump the attribute version within your own deployment

Does anyone here log directly to Sumologic over TLS from osquery?

@p2 those errors are rare, but! You most likely have something turning on events, if you're on Linux then a

/etc/osquery/osquery.flags

or

/etc/osquery/osquery.flags.default

with a

--nodisable_events

or

--disable_events=false

will enable the event publishers for the shell. A config could also turn them on,

--config_dump

will write the config JSON. Next, why are the events failing? Those are all

pipe

-based to some API that is privileged on the OS, so you could be running as a restricted user, or have cgroups limiting the binary's permissions?

So the BroIDS integration adds 2M to the binaries 😛

If you have data/examples, would you mind filling out a GitHub issue with as much details as possible?

Do I need a central service like kolide to run them or can I just query the endpoint directly. What is the recommended setup?

any recommendations over kolide, doorman, or zentral ?

hoping I can use something like python and kolide to query a remote computer

cheers 🙂

@flaviodomingos @andrew largely nailed it. FB uses osquery for host inspection/telemetry data for all of our boxes worldwide. We use Chef for deployment, and have an internal TLS endpoint that the data is communicated back to

personally, I don't think the file-based approach scales well enough to really be practical outside of a managed server environment. It fails horribly for user endpoints

Good morning osquery gurus. Have you tried to run osquery on Unix(Tm) systems like solaris? What would be the challenges? I totally understand they are very different but difficult/expensive would be port to solaris? We have a bunch of solaris running 😞 and we would like to standardize our FIM procedures with osquery... unfortunately we still have a bunch of them here. 😕

where is the place where default directory for augeas lenses is defined? I am looking in osquery/osquery/tables/system/posix/augeas.cpp, but that does not seem to stick.

I was looking at the yara table and it says “Track YARA matches for files or PIDs.” but it has no PID column

Maybe

/remind

? 🙂

dear all, is it possible to split up the output of osqueryd.results.log into several logs, like osqueryd.apache.access.log and osqueryd.apache.error.log? Any hints? 🙂

@crovers I'm away for a bit, so working very slowly, within a week or two we should have something ready

RE that

counter

change - schema modification should be seen as a breaking/backwards-incompatible change as most folks need to account for it in their log aggregation, log collection or log reception (SIEM) infrastructure. It should be noted or highlighted in release notes.

@jaredl @theopolis I'm adding more information to the log when a watcher takes action on a worker/extension

a custom logger plugin that talks directly to splunk can do that

basically that time stamp format doesn't work very well for parsing by elasticsearch

@maus try using the --dump_tls flag

A few links from the github README are now 404s: https://osquery.io/tables https://osquery.io/packs Looks like they should be: https://osquery.io/schema/ https://osquery.readthedocs.io/en/stable/deployment/configuration/#query-packs There's a lot more links from facebook blog posts, google cache, other sites. The

jekyll-redirect-from

is enabled; working on adding these redirects. Not familiar with jekyll; will take a bit to test according to: https://help.github.com/articles/redirects-on-github-pages/