Channels
  • Fran Rodríguez

    Fran Rodríguez

    2 years ago
    has anyone got to configure osquery and syslog in order to keep results queries in other file than default file?
  • CptOfEvilMinions

    CptOfEvilMinions

    2 years ago
    Here is a blog post I wrote on instructing Osquery logs to the system journal. https://holdmybeersecurity.com/2019/03/29/logging-osquery-with-rsyslog-v8-love-at-first-sight/
  • Fran Rodríguez

    Fran Rodríguez

    2 years ago
    yes, thats what i thought i should do, but i would like to use only syslog plugin instead of filesystem and syslog
  • CptOfEvilMinions

    CptOfEvilMinions

    2 years ago
    In your osquery.conf or osquery.flags set
    "logger_plugin": "syslog"
    .
  • Fran Rodríguez

    Fran Rodríguez

    2 years ago
    osquery.conf
    i mean, i have configured that in osquery.conf but it doesn’t work
    osquery is not writing in proper file
    it is not writing at all
  • CptOfEvilMinions

    CptOfEvilMinions

    2 years ago
    That is because Osquery is writing to the syslog journal. You need to instruct syslog to read this journal and then write the data where you want it to be. Syslog journal: https://wiki.archlinux.org/index.php/Systemd/Journal
  • Fran Rodríguez

    Fran Rodríguez

    2 years ago
    are you sure about that? because i dont see query result in journalctl
    i only see system osquery logs
    i mean status logs
  • CptOfEvilMinions

    CptOfEvilMinions

    2 years ago
    On Ubuntu 18.04 with osquery v4.3.0 and the following osquery.conf:
    {
      "options": {
        "config_plugin": "filesystem",
        "logger_plugin": "filesystem,syslog",
        "logger_path": "/var/log/osquery",
        "logger_snapshot_event_type": "true",
        "disable_logging": "false",
        "log_result_events": "true",
        "schedule_splay_percent": "10",
        "events_expiry": "3600",
        "verbose": "false",
        "worker_threads": "2",
        "enable_monitor": "true",
        "disable_events": "false",
        "disable_audit": "false",
        "audit_allow_config": "true",
        "audit_allow_sockets": "true",
        "host_identifier": "hostname",
        "schedule_default_interval": "3600",
        "enable_syslog": "false"
      },
      "platform": "linux",
      "schedule": {
        "process_events": {
          "query": "SELECT auid, cmdline, ctime, cwd, egid, euid, gid, parent, path, pid, time, uid FROM process_events WHERE path NOT IN ('/bin/sed', '/usr/bin/tr', '/bin/gawk', '/bin/date', '/bin/mktemp', '/usr/bin/dirname', '/usr/bin/head', '/usr/bin/jq', '/bin/cut', '/bin/uname', '/bin/basename') and cmdline NOT LIKE '%_key%' AND cmdline NOT LIKE '%secret%';",
          "interval": 10
        },
        "socket_events": {
          "query": "SELECT action, auid, family, local_address, local_port, path, pid, remote_address, remote_port, success, time FROM socket_events WHERE success=1 AND path NOT IN ('/usr/bin/hostname') AND remote_address NOT IN ('127.0.0.1', '169.254.169.254', '', '0000:0000:0000:0000:0000:0000:0000:0001', '::1', '0000:0000:0000:0000:0000:ffff:7f00:0001', 'unknown', '0.0.0.0', '0000:0000:0000:0000:0000:0000:0000:0000');",
          "interval": 10
        },
        "disk_space": {
          "query": "select path, round((blocks_available * blocks_size *10e-10),2) as gigs_free, round((blocks_free*1.0/blocks * 100),2) as percent_free from mounts where path='/';",
          "interval": 300
        },
        "python_packages": {
          "query": "SELECT * FROM python_packages;",
          "interval": 300
        }
      }
    }
    Next, I did
    tail -f /var/log/syslog | grep osquery
    then started osqueryd with
    systemctl start osqueryd
    let it run for 30 seconds to get.
    Make sure Osquery is running with the proper perms to write to the SystemD journal. Ensure that your version of linux has a SystemD journal.
  • Fran Rodríguez

    Fran Rodríguez

    2 years ago
    😳
    Ubuntu 16.04
    my configuration is very similar
    what i got it is something like this

    but never the query results
    osquery version 4.30
  • CptOfEvilMinions

    CptOfEvilMinions

    2 years ago
    Do you mind trying my config right now? Just trying to eliminate potential problems. If it works with my config then there might be an issue with your config. If it doesn’t work with my config above then it’s most likely an Ubuntu 16.04 thing
  • Fran Rodríguez

    Fran Rodríguez

    2 years ago
    ok, im going to try
    eii… it doesn’t work same issue.. so i think it is something with Ubuntu 16.04
    i’m going to use filesystem logger plugin and rsyslog config to send logs to my endpoint
    thank you very much for the help