do you have experience of running osquery on enter...
# generalv
vaar
11/17/2019, 3:43 PMdo you have experience of running osquery on enterprise without a fleet manager? using only chef/puppet/jamf? how do you manage the packs/fim/conf? how do you stream the query results in the logs pipeline?
t
theopolis
11/17/2019, 5:57 PM
yes, use chef to manage your config+packs. Then for ingesting logs, how do you do this today? If you have an existing pipeline try to fit osquery into it. The default behavior is to write logs to a file, do you have something that similarly collects logs? If you search/google osquery+$yourexistingtools you might find guides
v
vaar
11/17/2019, 5:59 PMat moment I am using a fleet manager and osquery forward the logs via TLS to it and beats from fleet manager to the pipeline.
vaar
11/17/2019, 5:59 PMThe problem is that I can't use osquery to pipeline directly, what else can I use?
t
theopolis
11/17/2019, 5:59 PM
ah, so you are looking for alternatives?
theopolis
11/17/2019, 5:59 PM
syslog, splunk, etc?
v
vaar
11/17/2019, 6:00 PMmaybe via osquery kafka, but it seems to be not so stable
vaar
11/17/2019, 6:00 PMmy pipeline ingests logs as syslog or kafka
vaar
11/17/2019, 6:03 PMI tried osquery's kafka logger more than one year ago and I had few issues with libkafka, I should try it again
👍 1
c
CptOfEvilMinions
11/18/2019, 9:59 PMHey @vaar, sorry for the late reply here but I wrote a blog post a couple months back on sending osquery logs with Rsyslog. This blog post shows how to setup the Rsyslog client to send Osquery logs and the Rsyslog server.
https://holdmybeersecurity.com/2019/03/29/logging-osquery-with-rsyslog-v8-love-at-first-sight/
Additionally, I have several other blogs on how to ship osquery logs using Rsyslog to Kafka.
CptOfEvilMinions
11/18/2019, 9:59 PMHope this helps 🙂
v
vaar
11/20/2019, 10:16 AMyes, I read it. It is nice, but we don't want to run rsyslog on all endpoints too, in particular if they are workstations 😞
4 Views