https://github.com/osquery/osquery logo
Powered by
#general
Title
# general
j

Jens Willmer

09/26/2022, 11:04 AM
Hi everyone, is it possible to HTTP GET my (scheduled) queries? I don't find any information about that 😞
s

sharvil

09/26/2022, 11:13 AM
Hi there @Jens Willmer , is this question related to #fleet by any chance? can we hop in there if so, thanks!
j

Jens Willmer

09/26/2022, 11:17 AM
hi @sharvil, no, I have osquery installed on a server and experimented with the sql queries. Now I would like to use my workflow automation system to query predefined queries (via HTTP?) every now and then. Is this possible?
I can't use fleet or something like that since my servers will run on the edge with limited to (sometimes) no internet connection. So I need to be carefull what and when I send data.
s

sharvil

09/26/2022, 11:36 AM
Now I would like to use my workflow automation system to query predefined queries (via HTTP?) every now and then. Is this possible?
I am not completely sure to be honest, I think something (which could be your workflow automation system) would have to implement the osquery remote APIs (https://osquery.readthedocs.io/en/latest/deployment/remote/#remote-server-api) and then would have to ad-hoc do a query to 
osquery_schedule
table, I don't know if there is a simpler way though
j

Jens Willmer

09/26/2022, 12:26 PM
Yes, that I can do. It's just not very obvious which endpoints I need to have and how we need to function. I was hoping for an endpoint which requires a auth token and thats it. Seams not so straight forward. I also looked into fluentd as a middle man but I dont find any tutorial/example of connecting them together.
s

sharvil

09/26/2022, 12:40 PM
I am not too familiar with fluentd — do you have the ability to ship the logs on disk from the host — might be worth experimenting with adding 
select * from osquery_schedule
query to the schedule, and have the osquery 
results.log
shipped out
j

Jens Willmer

09/26/2022, 12:47 PM
ah, so I could schedule my queries to log them to file and then just take the file. Yes, that would work for me. I will give it a try 🙂
I notice that I will get a huge log of every query executed again and again. Any option to only get latest?
s

sharvil

09/26/2022, 1:13 PM
I am not sure about the latest -- but I believe you can get pretty close by using the 
batch
format along with 
differential
when configuring the logging -- https://osquery.readthedocs.io/en/latest/deployment/logging/#event-format
can narrow it further down by enabling log-rotate configuration too https://osquery.readthedocs.io/en/latest/installation/cli-flags/#loggingresults-flags
j

Jens Willmer

09/26/2022, 3:17 PM
I think I have to connect to some logging service. The rotate is a good idea but with multiple queries scheduled in different steps it is not working. But thanks for the ideas. helped me to understand the posibillities 🙂
s

seph

09/26/2022, 3:20 PM
I’m a bit unsure what you’re asking after.
osquery is an agent. It supports a TLS api, which it can use for: • requesting it’s configuration (scheduled queries) • requesting ad-host queries • pushing logs There are some docs about how to write such a server.
Some common osquery deployment models are to setup a TLS server (commercial, OSS, or homegrown) to serve configs and collect logs. Or to use some config management tools to distribute configs, and to collect the logs from the local device. My employer has a somewhat related blog post https://www.kolide.com/blog/buying-kolide-vs-building-your-own-osquery-solution
The osquery agent does not serve HTTP
2 Views
Powered by