Channels
#linux
Title
f
Fran Rodríguez
06/16/2020, 5:51 PMhas anyone got to configure osquery and syslog in order to keep results queries in other file than default file?
c
CptOfEvilMinions
06/16/2020, 9:27 PMHere is a blog post I wrote on instructing Osquery logs to the system journal.
https://holdmybeersecurity.com/2019/03/29/logging-osquery-with-rsyslog-v8-love-at-first-sight/
f
Fran Rodríguez
06/17/2020, 8:42 AMyes, thats what i thought i should do, but i would like to use only syslog plugin instead of filesystem and syslog
c
CptOfEvilMinions
06/17/2020, 2:38 PMIn your osquery.conf or osquery.flags set
"logger_plugin": "syslog"f
Fran Rodríguez
06/17/2020, 4:06 PMosquery.conf
i mean, i have configured that in osquery.conf but it doesn’t work
osquery is not writing in proper file
it is not writing at all
c
CptOfEvilMinions
06/17/2020, 5:20 PMThat is because Osquery is writing to the syslog journal. You need to instruct syslog to read this journal and then write the data where you want it to be.
Syslog journal: https://wiki.archlinux.org/index.php/Systemd/Journal
f
Fran Rodríguez
06/17/2020, 5:22 PMare you sure about that? because i dont see query result in journalctl
i only see system osquery logs
i mean status logs
c
CptOfEvilMinions
06/17/2020, 6:00 PMOn Ubuntu 18.04 with osquery v4.3.0 and the following osquery.conf:
Copy code
{
"options": {
"config_plugin": "filesystem",
"logger_plugin": "filesystem,syslog",
"logger_path": "/var/log/osquery",
"logger_snapshot_event_type": "true",
"disable_logging": "false",
"log_result_events": "true",
"schedule_splay_percent": "10",
"events_expiry": "3600",
"verbose": "false",
"worker_threads": "2",
"enable_monitor": "true",
"disable_events": "false",
"disable_audit": "false",
"audit_allow_config": "true",
"audit_allow_sockets": "true",
"host_identifier": "hostname",
"schedule_default_interval": "3600",
"enable_syslog": "false"
},
"platform": "linux",
"schedule": {
"process_events": {
"query": "SELECT auid, cmdline, ctime, cwd, egid, euid, gid, parent, path, pid, time, uid FROM process_events WHERE path NOT IN ('/bin/sed', '/usr/bin/tr', '/bin/gawk', '/bin/date', '/bin/mktemp', '/usr/bin/dirname', '/usr/bin/head', '/usr/bin/jq', '/bin/cut', '/bin/uname', '/bin/basename') and cmdline NOT LIKE '%_key%' AND cmdline NOT LIKE '%secret%';",
"interval": 10
},
"socket_events": {
"query": "SELECT action, auid, family, local_address, local_port, path, pid, remote_address, remote_port, success, time FROM socket_events WHERE success=1 AND path NOT IN ('/usr/bin/hostname') AND remote_address NOT IN ('127.0.0.1', '169.254.169.254', '', '0000:0000:0000:0000:0000:0000:0000:0001', '::1', '0000:0000:0000:0000:0000:ffff:7f00:0001', 'unknown', '0.0.0.0', '0000:0000:0000:0000:0000:0000:0000:0000');",
"interval": 10
},
"disk_space": {
"query": "select path, round((blocks_available * blocks_size *10e-10),2) as gigs_free, round((blocks_free*1.0/blocks * 100),2) as percent_free from mounts where path='/';",
"interval": 300
},
"python_packages": {
"query": "SELECT * FROM python_packages;",
"interval": 300
}
}
}tail -f /var/log/syslog | grep osquerysystemctl start osquerydMake sure Osquery is running with the proper perms to write to the SystemD journal. Ensure that your version of linux has a SystemD journal.
f
Fran Rodríguez
06/17/2020, 6:02 PM😳
Ubuntu 16.04
my configuration is very similar
what i got it is something like this
but never the query results
osquery version 4.30
c
CptOfEvilMinions
06/17/2020, 6:11 PMDo you mind trying my config right now? Just trying to eliminate potential problems. If it works with my config then there might be an issue with your config. If it doesn’t work with my config above then it’s most likely an Ubuntu 16.04 thing
f
Fran Rodríguez
06/17/2020, 6:13 PMok, im going to try
eii… it doesn’t work same issue.. so i think it is something with Ubuntu 16.04
i’m going to use filesystem logger plugin and rsyslog config to send logs to my endpoint
thank you very much for the help
c
CptOfEvilMinions
06/18/2020, 4:29 PM👍
9 Views