Channels
  • v

    vaar

    2 years ago
    do you have experience of running osquery on enterprise without a fleet manager? using only chef/puppet/jamf? how do you manage the packs/fim/conf? how do you stream the query results in the logs pipeline?
  • theopolis

    theopolis

    2 years ago
    yes, use chef to manage your config+packs. Then for ingesting logs, how do you do this today? If you have an existing pipeline try to fit osquery into it. The default behavior is to write logs to a file, do you have something that similarly collects logs? If you search/google osquery+$yourexistingtools you might find guides
  • v

    vaar

    2 years ago
    at moment I am using a fleet manager and osquery forward the logs via TLS to it and beats from fleet manager to the pipeline.
    The problem is that I can't use osquery to pipeline directly, what else can I use?
  • theopolis

    theopolis

    2 years ago
    ah, so you are looking for alternatives?
    syslog, splunk, etc?
  • v

    vaar

    2 years ago
    maybe via osquery kafka, but it seems to be not so stable
    my pipeline ingests logs as syslog or kafka
    I tried osquery's kafka logger more than one year ago and I had few issues with libkafka, I should try it again
  • CptOfEvilMinions

    CptOfEvilMinions

    2 years ago
    Hey @vaar, sorry for the late reply here but I wrote a blog post a couple months back on sending osquery logs with Rsyslog. This blog post shows how to setup the Rsyslog client to send Osquery logs and the Rsyslog server. https://holdmybeersecurity.com/2019/03/29/logging-osquery-with-rsyslog-v8-love-at-first-sight/ Additionally, I have several other blogs on how to ship osquery logs using Rsyslog to Kafka.
    Hope this helps 🙂