Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
s
sudo
04/01/2020, 11:49 AMHey there! I am pretty new to osquery, is there any GUI workbench for this or CLI-Only?
a
alessandrogario
04/01/2020, 12:26 PMThere are several; you can try out Kolide Fleet with docker-compose using this: https://github.com/dactivllc/osquery-in-a-box
s
sudo
04/01/2020, 12:27 PMThank you @alessandrogario
a
alessandrogario
04/01/2020, 12:29 PMSome of the alternatives
If you try out Kolide Fleet, they have a channel here! It's #kolide
s
sudo
04/01/2020, 12:30 PMAwesome, much appreciated. I started looking at the fleet now.
s
seph
04/01/2020, 5:42 PMosquery is, IMO, hard to describe. It’s not a gui or a cli. It’s a tool to translate OS apis to sql.
A common way to interact with it is through the
osqueryiosqueryd💯 1
s
sudo
04/01/2020, 5:46 PMThanks @seph, I get it now. I spent some time on it. I thought it would be quite effective if theres a gui where we can perform aggregation as well.
Anyway, I pushed the logs to elastic for aggregation
s
seph
04/01/2020, 5:48 PMgui where we can perform aggregation as wellLike a log aggregation system? you can push logs to any existing one. Generally folks can help if you’re looking to get the data into places.
But doing a good job building log aggregation is a big project. Using ELK is generally simpler.
s
sudo
04/01/2020, 5:49 PMWould you recommend anything else if I were to use osquery for threat hunting?
Currently, I am running a daemon, query packs, syslog server, elastic
s
seph
04/01/2020, 5:50 PMDepends on how you want to explore and work with data.
s
sudo
04/01/2020, 5:53 PMTrue but in general these would suffice just leveraging opensource?
Do people use osquery to monitor their containers? I usually got used to prometheus and NodeExporter
s
seph
04/01/2020, 5:54 PMTrue but in general these would suffice just leveraging opensourceI’m not sure what you mean. But as before, it depends on what you like, and how you like using data
Do people use osquery to monitor their containers? I usually got used to prometheus and NodeExporterosquery and nodeexporter have access to different kinds of information. prometheus is oriented around being a TSDB for metrics. osquery is a tool to generate whatever. You could use it to feed prometheus. but feeding ELK, a SIEM, whatever is going to be more powerful.
s
sudo
04/01/2020, 6:02 PMGot it, I think I should read docs, seems like this got good documentation. Thanks for your time