So the immediate question is what should the string that is osquery #community-feeds

Title

# community-feeds

Alex Woolford

10/15/2019, 12:10 AM

So, the immediate question is: what should the string that is currently

schedule-process_port

be in order to log this stuff to the

process-port

topic?

zwass

10/15/2019, 12:13 AM

I am not super familiar with Kafka logging but my feeling is that you may need to put it in a pack and then use

pack_<pack_name>_<query_name>

@Alex Woolford

Alex Woolford

10/15/2019, 12:17 AM

Gotcha. I’ll put it in a pack.

zwass

10/15/2019, 1:35 AM

Did it work with a pack?

Alex Woolford

10/15/2019, 2:11 AM

The output ends up being written to the

catchall

topic which in my case is

base_topic

using this config:

Copy code

{
  "options": {
    "logger_kafka_brokers": "<http://cp01.woolford.io:9092,cp02.woolford.io:9092,cp03.woolford.io:9092|cp01.woolford.io:9092,cp02.woolford.io:9092,cp03.woolford.io:9092>",
    "logger_kafka_topic": "base_topic",
    "logger_kafka_acks": "1"
  },
  "packs": {
    "system-snapshot": {
      "queries": {
        "processes_by_port": {
          "query": "select u.username, p.pid, p.name, pos.local_address, pos.local_port, pos.remote_address, pos.remote_port from processes p join users u on u.uid = p.uid join process_open_sockets pos on pos.pid=p.pid where pos.remote_port != '0'",
          "interval": 10,
          "snapshot": false
        }
      }
    }
  },
  "kafka_topics": {
    "process-port": [
      "pack_system-snapshot_processes_by_port"
    ]
  }
}

29 Views