Title
#windows
v

vaar

08/19/2019, 3:55 PM
with osquery is it possible to forward also windows events not generated by osquery?
packetzero

packetzero

08/19/2019, 3:56 PM
yes
3:56 PM
the windows_events table will read in windows events based on configured channels and send them as results
v

vaar

08/19/2019, 4:00 PM
ah, nice. thanks
4:02 PM
I want reduce the agents installed and maybe replace winlogbeat with continuous windows_events query could be a good solution?
4:02 PM
maybe setting kafka as logger plugin?
packetzero

packetzero

08/19/2019, 4:09 PM
it will take some experimentation on your part to understand what works best for your environment.
4:09 PM
osquery is kind of a kit ... spend a lot of time configuring and testing
v

vaar

08/19/2019, 4:10 PM
yeah, sure. We have a lot of problems with WEF, so a replacement is needed in any case.
4:10 PM
we already have osquery on endpoints, but used only for response, maybe we can use it also for win event forwarding
packetzero

packetzero

08/19/2019, 4:10 PM
if you are having issues with WEF, osquery might give you just as many issues
4:11 PM
osquery reporting format is verbose
4:11 PM
so lots of bandwidth
4:11 PM
and the mainline code is not great at high throughput events yet
v

vaar

08/19/2019, 4:13 PM
but it is still possible to filter for needed events and not everything via query
packetzero

packetzero

08/19/2019, 4:14 PM
you subscribe to event channels like Windows-Security , Windows-Powershell, etc.
4:15 PM
then you have queries in your schedule (e.g. every 60 seconds) to filter what you want. The results get forwarded by logger
v

vaar

08/19/2019, 4:16 PM
the logger forwards the query results, right?
packetzero

packetzero

08/19/2019, 4:17 PM
yes
v

vaar

08/19/2019, 4:18 PM
the osquery issues with the high throughput are on event channels subscriptors?
4:19 PM
I have more osqauery experience with linux than windows and there the problem is auditd 🙂
packetzero

packetzero

08/19/2019, 4:20 PM
if you are not running on a high-load server, then performance should not be an issue for oyu
4:20 PM
you
4:20 PM
otherwise, avoid buffered_logger based loggers like tls and kinesis.
v

vaar

08/19/2019, 4:22 PM
what about kafka?
packetzero

packetzero

08/19/2019, 4:23 PM
I've never used it. it doesn't appear to cache events in rocksdb (which is issue with buffered_logger).
v

vaar

08/19/2019, 4:35 PM
yes, it seems to forward the events directly, so it should be better for this use case
4:35 PM
I will test it