Hey all is there a way to query logd with osquery my use cas osquery #general

Hey all! is there a way to query logd with osquery...

Brandon Mesa

09/16/2022, 3:09 PM

Hey all! is there a way to query logd with osquery? my use case is the following, I want to collect launchd logs from an endpoint and send it to a centralized log management server, however, I want to enrich the launchd events with the username, by using the UID in the launchd event. any thoughts around this? may be a far stretch

Jason

09/16/2022, 3:13 PM

Maybe the

unified_log

table from the macadmins extension ? https://github.com/macadmins/osquery-extension

sharvil

09/16/2022, 3:13 PM

I don’t know if this would capture it, but there is a new

unified_log

table in osquery core now..

sharvil

09/16/2022, 3:14 PM

And you can perhaps add decorators to enrich those queries

sharvil

09/16/2022, 3:14 PM

And yep! as @Jason mentions, there is that extension too which has

unified_log

table

Brandon Mesa

09/16/2022, 3:19 PM

unified_log looks awesome! I think at that point I would just need to regex out my uid from the event message, let me see if sql lite supports that functionality

Jason

09/16/2022, 3:20 PM

pretty sure it does (include regex)

sharvil

09/16/2022, 3:21 PM

yep! re: regex https://osquery.readthedocs.io/en/latest/introduction/sql/#string-functions

Brandon Mesa

09/16/2022, 3:21 PM

amazing.

Brandon Mesa

09/16/2022, 3:22 PM

@sharvil do we have a planned version release for the unified_log table?

sharvil

09/16/2022, 3:24 PM

@Brandon Mesa it should be in version 5.5.1, which is marked stable, and there are artifacts on github, but I think uploading those to the website is still pending (manual process)

Open in Slack

Previous Next