Hi everyone, is it possible to HTTP GET my (schedu...
# generalj
Jens Willmer
09/26/2022, 11:04 AMHi everyone, is it possible to HTTP GET my (scheduled) queries? I don't find any information about that 😞
s
sharvil
09/26/2022, 11:13 AMHi there @Jens Willmer , is this question related to #fleet by any chance? can we hop in there if so, thanks!
j
Jens Willmer
09/26/2022, 11:17 AMhi @sharvil, no, I have osquery installed on a server and experimented with the sql queries. Now I would like to use my workflow automation system to query predefined queries (via HTTP?) every now and then. Is this possible?
Jens Willmer
09/26/2022, 11:18 AMI can't use fleet or something like that since my servers will run on the edge with limited to (sometimes) no internet connection. So I need to be carefull what and when I send data.
s
sharvil
09/26/2022, 11:36 AMNow I would like to use my workflow automation system to query predefined queries (via HTTP?) every now and then. Is this possible?I am not completely sure to be honest, I think something (which could be your workflow automation system) would have to implement the osquery remote APIs (https://osquery.readthedocs.io/en/latest/deployment/remote/#remote-server-api) and then would have to ad-hoc do a query to
osquery_schedulej
Jens Willmer
09/26/2022, 12:26 PMYes, that I can do. It's just not very obvious which endpoints I need to have and how we need to function. I was hoping for an endpoint which requires a auth token and thats it. Seams not so straight forward. I also looked into fluentd as a middle man but I dont find any tutorial/example of connecting them together.
s
sharvil
09/26/2022, 12:40 PMI am not too familiar with fluentd — do you have the ability to ship the logs on disk from the host — might be worth experimenting with adding
select * from osquery_scheduleresults.logj
Jens Willmer
09/26/2022, 12:47 PMah, so I could schedule my queries to log them to file and then just take the file. Yes, that would work for me. I will give it a try 🙂
Jens Willmer
09/26/2022, 1:09 PMI notice that I will get a huge log of every query executed again and again. Any option to only get latest?
s
sharvil
09/26/2022, 1:13 PMI am not sure about the latest -- but I believe you can get pretty close by using the
batchdifferentialsharvil
09/26/2022, 1:13 PMcan narrow it further down by enabling log-rotate configuration too https://osquery.readthedocs.io/en/latest/installation/cli-flags/#loggingresults-flags
j
Jens Willmer
09/26/2022, 3:17 PMI think I have to connect to some logging service. The rotate is a good idea but with multiple queries scheduled in different steps it is not working. But thanks for the ideas. helped me to understand the posibillities 🙂
s
seph
09/26/2022, 3:20 PM
I’m a bit unsure what you’re asking after.
seph
09/26/2022, 3:21 PM
osquery is an agent. It supports a TLS api, which it can use for:
• requesting it’s configuration (scheduled queries)
• requesting ad-host queries
• pushing logs
There are some docs about how to write such a server.
seph
09/26/2022, 3:23 PM
Some common osquery deployment models are to setup a TLS server (commercial, OSS, or homegrown) to serve configs and collect logs.
Or to use some config management tools to distribute configs, and to collect the logs from the local device.
My employer has a somewhat related blog post https://www.kolide.com/blog/buying-kolide-vs-building-your-own-osquery-solution
seph
09/26/2022, 3:23 PM
The osquery agent does not serve HTTP
2 Views