https://github.com/osquery/osquery logo
Powered by
#general
Title
# general
j

JohnM

05/14/2021, 2:04 PM
Hello all. I am new here and wanted to say hi. I have a question about osquery regarding alerting and logging. Who would be the best person to ask these to? Thank you!
👋 1
I want to alert on whenever log have been deleted without getting a verbose log every time it changes, as this is what I was getting when I add /var/log to my fim pack and was filing up whenever a system process changed a file. If anyone has any suggestion that would be helpful, thanks.
i

Ian Muscat

05/14/2021, 2:58 PM
Would something like this work?
Copy code
SELECT * FROM file_events WHERE target_path LIKE "/var/log/%%" AND action = "DELETED"
j

JohnM

05/17/2021, 12:30 PM
Great, thanks! I have added this and unfortunately it is not picking up my test when I add a file to /var/log/ then delete it. Nothing in "systemctl status osqueryd -l" that provides detail of why it isn't working. Any clues? Thank you.
i

Ian Muscat

05/17/2021, 12:34 PM
Are other file events showing up? When using FIM you need to make sure 
osqueryd
is started with the 
--disable_events=false
--enable_file_events=true
flags (or corresponding config if you’re configuring osquery using a config file). You also need to make sure that you tell osquery to monitor 
/var/log/%%
by specifying a config such as:
Copy code
{
  "file_paths": {
    "logs": [
      "/var/log/%%"
    ]
  }
}
(more info on how to set this up here — https://osquery.readthedocs.io/en/latest/deployment/file-integrity-monitoring/#example-fim-config)
7 Views
Powered by