Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
j
Jens Willmer
09/26/2022, 11:04 AMHi everyone, is it possible to HTTP GET my (scheduled) queries? I don't find any information about that 😞
s
sharvil
09/26/2022, 11:13 AMHi there @Jens Willmer , is this question related to #fleet by any chance? can we hop in there if so, thanks!
j
Jens Willmer
09/26/2022, 11:17 AMhi @sharvil, no, I have osquery installed on a server and experimented with the sql queries. Now I would like to use my workflow automation system to query predefined queries (via HTTP?) every now and then. Is this possible?
I can't use fleet or something like that since my servers will run on the edge with limited to (sometimes) no internet connection. So I need to be carefull what and when I send data.
s
sharvil
09/26/2022, 11:36 AMNow I would like to use my workflow automation system to query predefined queries (via HTTP?) every now and then. Is this possible?I am not completely sure to be honest, I think something (which could be your workflow automation system) would have to implement the osquery remote APIs (https://osquery.readthedocs.io/en/latest/deployment/remote/#remote-server-api) and then would have to ad-hoc do a query to
osquery_schedulej
Jens Willmer
09/26/2022, 12:26 PMYes, that I can do. It's just not very obvious which endpoints I need to have and how we need to function. I was hoping for an endpoint which requires a auth token and thats it. Seams not so straight forward. I also looked into fluentd as a middle man but I dont find any tutorial/example of connecting them together.
s
sharvil
09/26/2022, 12:40 PMI am not too familiar with fluentd — do you have the ability to ship the logs on disk from the host — might be worth experimenting with adding
select * from osquery_scheduleresults.logj
Jens Willmer
09/26/2022, 12:47 PMah, so I could schedule my queries to log them to file and then just take the file. Yes, that would work for me. I will give it a try 🙂
I notice that I will get a huge log of every query executed again and again. Any option to only get latest?
s
sharvil
09/26/2022, 1:13 PMI am not sure about the latest -- but I believe you can get pretty close by using the
batchdifferentialcan narrow it further down by enabling log-rotate configuration too https://osquery.readthedocs.io/en/latest/installation/cli-flags/#loggingresults-flags
j
Jens Willmer
09/26/2022, 3:17 PMI think I have to connect to some logging service. The rotate is a good idea but with multiple queries scheduled in different steps it is not working. But thanks for the ideas. helped me to understand the posibillities 🙂
s
seph
09/26/2022, 3:20 PMI’m a bit unsure what you’re asking after.
osquery is an agent. It supports a TLS api, which it can use for:
• requesting it’s configuration (scheduled queries)
• requesting ad-host queries
• pushing logs
There are some docs about how to write such a server.
Some common osquery deployment models are to setup a TLS server (commercial, OSS, or homegrown) to serve configs and collect logs.
Or to use some config management tools to distribute configs, and to collect the logs from the local device.
My employer has a somewhat related blog post https://www.kolide.com/blog/buying-kolide-vs-building-your-own-osquery-solution
The osquery agent does not serve HTTP