Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
b
Bit_by_bit
07/11/2018, 10:51 PMI am trying to basically automate any osqueryi queries so that I can get real-time system information. I was thinking of going to the conf files and using schedule to try and test this on maybe 1 or 2 queries and hopefully see the results logged in some kind of logger file. Any ideas?
Or do you think this would be much easier to do in mac and linux?
t
thor
07/12/2018, 4:10 PM@Bit_by_bit I'm not entirely sure I follow what you're wanting to do... Are you saying you'd like to automate execution of osqueryi queries? this is what the osqueryd daemon is for, or maybe I'm misunderstanding what you're asking
b
Bit_by_bit
07/12/2018, 4:11 PM@thor yes you are right. I want to get real time data. If I use osqueryi, it will give information about the system's state at that point which may have changed later on. Therefore, if I can automate it, I can get the same results every 10ms if I wanted
Plus, I think I would need to make my own osquery.flags file as I do not have it 😕
t
thor
07/12/2018, 4:13 PMYeah you'll want to use osqueryd for that, however we don't have ms granularity, it's second granularity, and many of the tables aren't performant enough to be able to get data every second. What we've had success with in the past is using the Windows event logging pipeline to get data out. There's a few issues open to try and build out event publisher tables for process auditing and network socket auditing, but these aren't there yet
b
Bit_by_bit
07/12/2018, 4:13 PMhmm..would it be easier on mac or linux?
t
thor
07/12/2018, 4:14 PMMac and Linux both have event publisher tables for processes, network events, and file events, so yes
But you again wont query them every second or ms, you'll turn on the publishers and query the tables once every few minutes. There's more information here: https://osquery.readthedocs.io/en/stable/development/pubsub-framework/
b
Bit_by_bit
07/12/2018, 4:15 PMCool beans!
Tbh, I really like this project and would love to help in my free time. Being in college, it really restricts my free time...
👍 1
t
thor
07/12/2018, 4:15 PMAh, actually you'll want this 🙂 https://osquery.readthedocs.io/en/stable/deployment/process-auditing/
Yeah check out more of that readthedocs 🙂 There's lots of good nuggets there. Developing on Linux/Mac is a bit easier than Windows, but Windows definitely needs more work and love 🙂
Welcome to the project!
👍 1
b
Bit_by_bit
07/12/2018, 4:15 PMCool, ill def try it out with linux and see how it goes