Hi everyone 👋, I'm trying to use the FIM for monitoring log files under /var/log. Of course, due to the fact that these files are log files, they are updated and growing regularly. I would like to monitor only modifications of the log files, if the file size has not increased or it has shrunk (e.g. someone deleted some content). Is there a way with osquery to accomplish this? I did some tests and I saw the action "MOVED_TO" in the file_events table, if I'm going to delete some content of a file, but I don't know if this is enough. Maybe an approach would be, to compare the values of the size column, if this is possible 🤔

Hrm. Thinking aloud… FIM is generally good for tracking seldom changing files. Then you know you get the events.

logrotate maybe?

Thank you. After some testing with different selects, this works with osqueryi, but not as a query for a scheduled file events in the osquery.conf

SELECT * FROM file AS foo WHERE foo.path like '/home/user/logtester/%%' AND foo.mtime >= (SELECT strftime('%s','now')-120) AND EXISTS ( SELECT * FROM file_events AS bar WHERE bar.action in ('MOVED_TO','DELETED','ATTRIBUTES_MODIFIED','UPDATED') AND foo.path = bar.target_path AND foo.mtime > bar.mtime AND foo.size < bar.size );

If this query is configured I get the following error:

Error adding new results to database for query file_events: JSON object was not an array

If I'm going to change the query a little bit and ensure that the file_events will be queried first, than there are no errors:

SELECT * FROM file_events AS bar WHERE bar.action in ('MOVED_TO','DELETED','ATTRIBUTES_MODIFIED','UPDATED') AND EXISTS ( SELECT * FROM file AS foo WHERE foo.path like '/home/user/logtester/%%' AND foo.path = bar.target_path AND foo.mtime > bar.mtime AND foo.size < bar.size AND foo.mtime >= (SELECT strftime('%s','now')-120));

I could live with this solution, but it doesn't work with scheduling. I can see with the daemon verbose mode, that the query will be executed, but the results will not be logged. If I'm going to do the same select with osqueryi I got my results as expected. So I'm a little bit clueless right now and I ask myself: Is it even possible to monitor decreasing files with the FIM functionality of osquery? We need this if, for example, someone deletes lines from log files. Do you have any further idea how to do this?

Error adding new results to database for query file_events: JSON object was not an array

-- This looks like a bug that should be addressed. Can you please file an issue on GitHub?

Sure 🙂

Interesting question. This seems potentially tricky as there may be edge cases such as multiple processes writing the same file, simultaneous additions/deletions, etc. and of course you won't get the diff of what's been "removed" from the file. Any tool that does such a thing comprehensively will be very expensive (in terms of resource utilization) to operate on busy files like log files.

Hi @zwass Thank you for your answer. The reason behind this is the following: Your logs will be written resp. forwarded to a log server. At this log server only one process is going to write these logs (rsyslogd in our case). So, this is not the problem at all. In a normal situtation, the log file will never shrink, but what happens if someone (e.g. an attacker) is going to change these log files and delete, let's say, 20 lines of it? Sure, the lines are gone, but I want to know that the log file shrunk, because there is something going on. There are IDS / FIM tools which can handle such things, but osquery obviously not. The big question for me: Is this achievable with osquery without ten thousend of SELECT workarounds? 😅

Thinking aloud.. You’re asking how to tell whether an attackers has modified a file before the contents have been shipped off disk. Correct?