Hello all I am new here and wanted to say hi I have a questi osquery #general

Hello all. I am new here and wanted to say hi. I h...

JohnM

05/14/2021, 2:04 PM

Hello all. I am new here and wanted to say hi. I have a question about osquery regarding alerting and logging. Who would be the best person to ask these to? Thank you!

👋 1

JohnM

05/14/2021, 2:15 PM

I want to alert on whenever log have been deleted without getting a verbose log every time it changes, as this is what I was getting when I add /var/log to my fim pack and was filing up whenever a system process changed a file. If anyone has any suggestion that would be helpful, thanks.

Ian Muscat

05/14/2021, 2:58 PM

Would something like this work?

Copy code

SELECT * FROM file_events WHERE target_path LIKE "/var/log/%%" AND action = "DELETED"

JohnM

05/17/2021, 12:30 PM

Great, thanks! I have added this and unfortunately it is not picking up my test when I add a file to /var/log/ then delete it. Nothing in "systemctl status osqueryd -l" that provides detail of why it isn't working. Any clues? Thank you.

Ian Muscat

05/17/2021, 12:34 PM

Are other file events showing up? When using FIM you need to make sure

osqueryd

is started with the

--disable_events=false

--enable_file_events=true

flags (or corresponding config if you’re configuring osquery using a config file). You also need to make sure that you tell osquery to monitor

/var/log/%%

by specifying a config such as:

Copy code

{
  "file_paths": {
    "logs": [
      "/var/log/%%"
    ]
  }
}

(more info on how to set this up here — https://osquery.readthedocs.io/en/latest/deployment/file-integrity-monitoring/#example-fim-config)

7 Views

Open in Slack

Previous Next