https://github.com/osquery/osquery logo
Join Slack
Powered by
with osquery is it possible to forward also window...
# windows
v
with osquery is it possible to forward also windows events not generated by osquery?
p
yes
the windows_events table will read in windows events based on configured channels and send them as results
v
ah, nice. thanks
I want reduce the agents installed and maybe replace winlogbeat with continuous windows_events query could be a good solution?
maybe setting kafka as logger plugin?
p
it will take some experimentation on your part to understand what works best for your environment.
osquery is kind of a kit ... spend a lot of time configuring and testing
v
yeah, sure. We have a lot of problems with WEF, so a replacement is needed in any case.
we already have osquery on endpoints, but used only for response, maybe we can use it also for win event forwarding
p
if you are having issues with WEF, osquery might give you just as many issues
osquery reporting format is verbose
so lots of bandwidth
and the mainline code is not great at high throughput events yet
v
but it is still possible to filter for needed events and not everything via query
p
you subscribe to event channels like Windows-Security , Windows-Powershell, etc.
then you have queries in your schedule (e.g. every 60 seconds) to filter what you want. The results get forwarded by logger
v
the logger forwards the query results, right?
p
yes
v
the osquery issues with the high throughput are on event channels subscriptors?
I have more osqauery experience with linux than windows and there the problem is auditd 🙂
p
if you are not running on a high-load server, then performance should not be an issue for oyu
you
otherwise, avoid buffered_logger based loggers like tls and kinesis.
v
what about kafka?
p
I've never used it. it doesn't appear to cache events in rocksdb (which is issue with buffered_logger).
v
yes, it seems to forward the events directly, so it should be better for this use case
I will test it
Open in Slack
PreviousNext
Powered by