Channels
  • manikant singh

    manikant singh

    1 year ago
    let me example my complete situation.1. First I was trying to configure osquery without remote settings. 2. I enabled process events logging using rsyslog made changes to rsyslog.conf as per documentation.
    template(
      name="OsqueryCsvFormat"
      type="string"
      string="%timestamp:::date-rfc3339,csv%,%hostname:::csv%,%syslogseverity:::csv%,%syslogfacility-text:::csv%,%syslogtag:::csv%,%msg:::csv%\n"
    )
    *.* action(type="ompipe" Pipe="/var/osquery/syslog_pipe" template="OsqueryCsvFormat")
    3. After that I enabled scheduled queries and everything worked fine. I was able to query process events successfully. (after configuring required flags). Now, I am trying the same thing with docker container as a host and kolide fleet as server. I made same changes for this but changed properties as per requirement for TLS . This time able to make queries from fleet to osqueryd running inside docker container. But the only issue is with process events. It's doesn't get logged. I installed rsyslog on container but restart rsyslog doesn't work here. Finally: My doubt is is rsyslog is really required when kolide fleet is used to schedule process events queries.
  • theopolis

    theopolis

    1 year ago
    It sounds like you are doing a few things that are sort of unrelated so we can discuss them 1 by 1. 1. Configure osquery to use Kolide 2. Configure osquery to consume syslog from the system 3. Configure osquery to use audit and produce process events You are correct that syslog is not required for process events. If you follow this guide: https://osquery.readthedocs.io/en/latest/deployment/process-auditing/ it assumes you are not running in a container.