Title
#general
manikant singh

manikant singh

09/27/2020, 4:12 PM
let me example my complete situation.1. First I was trying to configure osquery without remote settings. 2. I enabled process events logging using rsyslog made changes to rsyslog.conf as per documentation.
template(
  name="OsqueryCsvFormat"
  type="string"
  string="%timestamp:::date-rfc3339,csv%,%hostname:::csv%,%syslogseverity:::csv%,%syslogfacility-text:::csv%,%syslogtag:::csv%,%msg:::csv%\n"
)
*.* action(type="ompipe" Pipe="/var/osquery/syslog_pipe" template="OsqueryCsvFormat")
3. After that I enabled scheduled queries and everything worked fine. I was able to query process events successfully. (after configuring required flags). Now, I am trying the same thing with docker container as a host and kolide fleet as server. I made same changes for this but changed properties as per requirement for TLS . This time able to make queries from fleet to osqueryd running inside docker container. But the only issue is with process events. It's doesn't get logged. I installed rsyslog on container but restart rsyslog doesn't work here. Finally: My doubt is is rsyslog is really required when kolide fleet is used to schedule process events queries.
theopolis

theopolis

09/28/2020, 3:11 PM
It sounds like you are doing a few things that are sort of unrelated so we can discuss them 1 by 1. 1. Configure osquery to use Kolide 2. Configure osquery to consume syslog from the system 3. Configure osquery to use audit and produce process events You are correct that syslog is not required for process events. If you follow this guide: https://osquery.readthedocs.io/en/latest/deployment/process-auditing/ it assumes you are not running in a container.
3:25 PM
As far as I know there can only be one process on a system that receives audit messages from the kernel's audit netlink socket. So if you are running osquery in a container and you want that osquery process to receive audit messages you will need to run a privileged container and you will need to stop osquery and/or auditd on the host. There is a bit of complexity involved here and I don't think this is recommended but I am not sure what you are trying to do. If you want each container to report its own process auditing events, this is not going to work. My recommendation is to use osquery on the host, configured with the process auditing guide linked above. This will receive all of the process events from all running containers. And you will not have to run a privileged container for osquery's requirements.