Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
v
vaar
08/19/2019, 3:55 PMwith osquery is it possible to forward also windows events not generated by osquery?
p
packetzero
08/19/2019, 3:56 PMyes
the windows_events table will read in windows events based on configured channels and send them as results
v
vaar
08/19/2019, 4:00 PMah, nice. thanks
I want reduce the agents installed and maybe replace winlogbeat with continuous windows_events query could be a good solution?
maybe setting kafka as logger plugin?
p
packetzero
08/19/2019, 4:09 PMit will take some experimentation on your part to understand what works best for your environment.
osquery is kind of a kit ... spend a lot of time configuring and testing
v
vaar
08/19/2019, 4:10 PMyeah, sure. We have a lot of problems with WEF, so a replacement is needed in any case.
we already have osquery on endpoints, but used only for response, maybe we can use it also for win event forwarding
p
packetzero
08/19/2019, 4:10 PMif you are having issues with WEF, osquery might give you just as many issues
osquery reporting format is verbose
so lots of bandwidth
and the mainline code is not great at high throughput events yet
v
vaar
08/19/2019, 4:13 PMbut it is still possible to filter for needed events and not everything via query
p
packetzero
08/19/2019, 4:14 PMyou subscribe to event channels like Windows-Security , Windows-Powershell, etc.
then you have queries in your schedule (e.g. every 60 seconds) to filter what you want. The results get forwarded by logger
v
vaar
08/19/2019, 4:16 PMthe logger forwards the query results, right?
p
packetzero
08/19/2019, 4:17 PMyes
v
vaar
08/19/2019, 4:18 PMthe osquery issues with the high throughput are on event channels subscriptors?
I have more osqauery experience with linux than windows and there the problem is auditd 🙂
p
packetzero
08/19/2019, 4:20 PMif you are not running on a high-load server, then performance should not be an issue for oyu
you
otherwise, avoid buffered_logger based loggers like tls and kinesis.
v
vaar
08/19/2019, 4:22 PMwhat about kafka?
p
packetzero
08/19/2019, 4:23 PMI've never used it. it doesn't appear to cache events in rocksdb (which is issue with buffered_logger).
v
vaar
08/19/2019, 4:35 PMyes, it seems to forward the events directly, so it should be better for this use case
I will test it