https://github.com/osquery/osquery logo
Join Slack
Powered by
has anyone got to configure osquery and syslog in ...
# linux
f
has anyone got to configure osquery and syslog in order to keep results queries in other file than default file?
c
Here is a blog post I wrote on instructing Osquery logs to the system journal. https://holdmybeersecurity.com/2019/03/29/logging-osquery-with-rsyslog-v8-love-at-first-sight/
f
yes, thats what i thought i should do, but i would like to use only syslog plugin instead of filesystem and syslog
c
In your osquery.conf or osquery.flags set 
"logger_plugin": "syslog"
.
f
osquery.conf
i mean, i have configured that in osquery.conf but it doesn’t work
osquery is not writing in proper file
it is not writing at all
c
That is because Osquery is writing to the syslog journal. You need to instruct syslog to read this journal and then write the data where you want it to be. Syslog journal: https://wiki.archlinux.org/index.php/Systemd/Journal
f
are you sure about that? because i dont see query result in journalctl
i only see system osquery logs
i mean status logs
c
On Ubuntu 18.04 with osquery v4.3.0 and the following osquery.conf:
Copy code
{
  "options": {
    "config_plugin": "filesystem",
    "logger_plugin": "filesystem,syslog",
    "logger_path": "/var/log/osquery",
    "logger_snapshot_event_type": "true",
    "disable_logging": "false",
    "log_result_events": "true",
    "schedule_splay_percent": "10",
    "events_expiry": "3600",
    "verbose": "false",
    "worker_threads": "2",
    "enable_monitor": "true",
    "disable_events": "false",
    "disable_audit": "false",
    "audit_allow_config": "true",
    "audit_allow_sockets": "true",
    "host_identifier": "hostname",
    "schedule_default_interval": "3600",
    "enable_syslog": "false"
  },
  "platform": "linux",
  "schedule": {
    "process_events": {
      "query": "SELECT auid, cmdline, ctime, cwd, egid, euid, gid, parent, path, pid, time, uid FROM process_events WHERE path NOT IN ('/bin/sed', '/usr/bin/tr', '/bin/gawk', '/bin/date', '/bin/mktemp', '/usr/bin/dirname', '/usr/bin/head', '/usr/bin/jq', '/bin/cut', '/bin/uname', '/bin/basename') and cmdline NOT LIKE '%_key%' AND cmdline NOT LIKE '%secret%';",
      "interval": 10
    },
    "socket_events": {
      "query": "SELECT action, auid, family, local_address, local_port, path, pid, remote_address, remote_port, success, time FROM socket_events WHERE success=1 AND path NOT IN ('/usr/bin/hostname') AND remote_address NOT IN ('127.0.0.1', '169.254.169.254', '', '0000:0000:0000:0000:0000:0000:0000:0001', '::1', '0000:0000:0000:0000:0000:ffff:7f00:0001', 'unknown', '0.0.0.0', '0000:0000:0000:0000:0000:0000:0000:0000');",
      "interval": 10
    },
    "disk_space": {
      "query": "select path, round((blocks_available * blocks_size *10e-10),2) as gigs_free, round((blocks_free*1.0/blocks * 100),2) as percent_free from mounts where path='/';",
      "interval": 300
    },
    "python_packages": {
      "query": "SELECT * FROM python_packages;",
      "interval": 300
    }
  }
}
Next, I did 
tail -f /var/log/syslog | grep osquery
then started osqueryd with 
systemctl start osqueryd
let it run for 30 seconds to get.
Make sure Osquery is running with the proper perms to write to the SystemD journal. Ensure that your version of linux has a SystemD journal.
f
😳
Ubuntu 16.04
my configuration is very similar
what i got it is something like this
but never the query results
osquery version 4.30
c
Do you mind trying my config right now? Just trying to eliminate potential problems. If it works with my config then there might be an issue with your config. If it doesn’t work with my config above then it’s most likely an Ubuntu 16.04 thing
f
ok, im going to try
eii… it doesn’t work same issue.. so i think it is something with Ubuntu 16.04
i’m going to use filesystem logger plugin and rsyslog config to send logs to my endpoint
thank you very much for the help
c
👍
9 Views
Open in Slack
PreviousNext
Powered by