Hey there I am pretty new to osquery is there any GUI workbe

Question

Hey there I am pretty new to osquery is there any GUI workbench for this or CLI Only

alessandrogario · Answer

There are several you can try out Kolide Fleet with docker compose using this <https github com dactivllc osquery in a box>

sudo · Answer

Thank you < alessandrogario>

alessandrogario · Answer

alessandrogario · Answer

Some of the alternatives

alessandrogario · Answer

If you try out Kolide Fleet they have a channel here It s < C1XCLA5DZ|kolide>

sudo · Answer

Awesome much appreciated I started looking at the fleet now

seph · Answer

osquery is IMO hard to describe It s not a gui or a cli It s a tool to translate OS apis to sql A common way to interact with it is through the `osqueryi` command line A common way to deploy it is to connect `osqueryd` to a remote management tool as listed above

sudo · Answer

Thanks < seph> I get it now I spent some time on it I thought it would be quite effective if theres a gui where we can perform aggregation as well Anyway I pushed the logs to elastic for aggregation

seph · Answer

gt gui where we can perform aggregation as well Like a log aggregation system you can push logs to any existing one Generally folks can help if you re looking to get the data into places

seph · Answer

But doing a good job building log aggregation is a big project Using ELK is generally simpler

sudo · Answer

Would you recommend anything else if I were to use osquery for threat hunting Currently I am running a daemon query packs syslog server elastic

seph · Answer

Depends on how you want to explore and work with data

sudo · Answer

True but in general these would suffice just leveraging opensource Do people use osquery to monitor their containers I usually got used to prometheus and NodeExporter

seph · Answer

gt True but in general these would suffice just leveraging opensource I m not sure what you mean But as before it depends on what you like and how you like using data

seph · Answer

gt Do people use osquery to monitor their containers I usually got used to prometheus and NodeExporter osquery and nodeexporter have access to different kinds of information prometheus is oriented around being a TSDB for metrics osquery is a tool to generate whatever You could use it to feed prometheus but feeding ELK a SIEM whatever is going to be more powerful

sudo · Answer

Got it I think I should read docs seems like this got good documentation Thanks for your time