has anyone got to configure osquery and syslog in order to keep results queries in other file than default file?

Here is a blog post I wrote on instructing Osquery logs to the system journal. https://holdmybeersecurity.com/2019/03/29/logging-osquery-with-rsyslog-v8-love-at-first-sight/

yes, thats what i thought i should do, but i would like to use only syslog plugin instead of filesystem and syslog

In your osquery.conf or osquery.flags set

"logger_plugin": "syslog"

.

osquery.conf

That is because Osquery is writing to the syslog journal. You need to instruct syslog to read this journal and then write the data where you want it to be. Syslog journal: https://wiki.archlinux.org/index.php/Systemd/Journal

are you sure about that? because i dont see query result in journalctl

On Ubuntu 18.04 with osquery v4.3.0 and the following osquery.conf:

{
  "options": {
    "config_plugin": "filesystem",
    "logger_plugin": "filesystem,syslog",
    "logger_path": "/var/log/osquery",
    "logger_snapshot_event_type": "true",
    "disable_logging": "false",
    "log_result_events": "true",
    "schedule_splay_percent": "10",
    "events_expiry": "3600",
    "verbose": "false",
    "worker_threads": "2",
    "enable_monitor": "true",
    "disable_events": "false",
    "disable_audit": "false",
    "audit_allow_config": "true",
    "audit_allow_sockets": "true",
    "host_identifier": "hostname",
    "schedule_default_interval": "3600",
    "enable_syslog": "false"
  },
  "platform": "linux",
  "schedule": {
    "process_events": {
      "query": "SELECT auid, cmdline, ctime, cwd, egid, euid, gid, parent, path, pid, time, uid FROM process_events WHERE path NOT IN ('/bin/sed', '/usr/bin/tr', '/bin/gawk', '/bin/date', '/bin/mktemp', '/usr/bin/dirname', '/usr/bin/head', '/usr/bin/jq', '/bin/cut', '/bin/uname', '/bin/basename') and cmdline NOT LIKE '%_key%' AND cmdline NOT LIKE '%secret%';",
      "interval": 10
    },
    "socket_events": {
      "query": "SELECT action, auid, family, local_address, local_port, path, pid, remote_address, remote_port, success, time FROM socket_events WHERE success=1 AND path NOT IN ('/usr/bin/hostname') AND remote_address NOT IN ('127.0.0.1', '169.254.169.254', '', '0000:0000:0000:0000:0000:0000:0000:0001', '::1', '0000:0000:0000:0000:0000:ffff:7f00:0001', 'unknown', '0.0.0.0', '0000:0000:0000:0000:0000:0000:0000:0000');",
      "interval": 10
    },
    "disk_space": {
      "query": "select path, round((blocks_available * blocks_size *10e-10),2) as gigs_free, round((blocks_free*1.0/blocks * 100),2) as percent_free from mounts where path='/';",
      "interval": 300
    },
    "python_packages": {
      "query": "SELECT * FROM python_packages;",
      "interval": 300
    }
  }
}

Next, I did

tail -f /var/log/syslog | grep osquery

then started osqueryd with

systemctl start osqueryd

let it run for 30 seconds to get.

😳

Do you mind trying my config right now? Just trying to eliminate potential problems. If it works with my config then there might be an issue with your config. If it doesn’t work with my config above then it’s most likely an Ubuntu 16.04 thing

ok, im going to try

👍