what do you suggest for near real-time detections ...
# macosv
vaar
07/22/2019, 5:42 PMwhat do you suggest for near real-time detections for other events? run incremental query every second? or something else?
z
zwass
07/22/2019, 5:43 PM
Which other events are you looking for? FIM, process_events, hardware_events, disk_events, etc. all work without kernel extension.
v
vaar
07/22/2019, 5:45 PMfor example, network events
vaar
07/22/2019, 5:46 PMand what does osquery use for FIM on mac? fsevents?
z
zwass
07/22/2019, 8:22 PM
Yes, I believe network events are not supported and FIM I believe is fsevents.
v
vaar
07/23/2019, 9:01 AMand what do you suggest for near real-time detections using those (and more) events? run queries every second and get the data off from endpoint?
z
zwass
07/23/2019, 4:24 PM
For network events? Or for supported event types? I would definitely avoid running queries every second. Maybe something like queries every 10-30 seconds and a logging interval of 10-30 seconds. This seems "real-time" enough for most logging pipelines IME.
v
vaar
07/23/2019, 5:47 PMno, I mean for all supported events, not network. Is there a way to configure an logging interval for kafka?
z
zwass
07/23/2019, 6:20 PM
I just took a look at the Kafka plugin implementation and it seems to log immediately. Not sure why it doesn't do buffering like the AWS and TLS plugins.
v
vaar
07/23/2019, 6:27 PMso with kafka the query result is sent as soon as it finishes, well, I can use the query interval only in this case
z
zwass
07/23/2019, 6:28 PM
That sounds right to me
v
vaar
07/23/2019, 6:29 PMthanks
3 Views