Getting Started with osquery

2018-12-11 17:04:39

  1. How to install

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    #for Centos7
    sudo rpm -ivh https://osquery-packages.s3.amazonaws.com/centos7/noarch/osquery-s3-centos7-repo-1-0.0.noarch.rpm
    sudo yum install osquery

    sudo cp /usr/share/osquery/osquery.example.conf /etc/osquery/osquery.conf
    # sudo service osqueryd start
    sudo systemctl start osqueryd
    # for CentOS6.x
    sudo rpm -ivh https://osquery-packages.s3.amazonaws.com/centos6/noarch/osquery-s3-centos6-repo-1-0.0.noarch.rpm
    sudo yum install osquery

    # default packages create the following structure
    /etc/osquery/
    /usr/share/osquery/osquery.example.conf
    /usr/share/osquery/lenses/{*}.aug
    /usr/share/osquery/packs/{*}.conf
    /var/log/osquery/
    /usr/lib/osquery/
    /usr/bin/osqueryctl
    /usr/bin/osqueryd
    /usr/bin/osqueryi

  2. How to use

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13

    osquery> SELECT pid, name, path FROM processes LIMIT 1;
    +-----+------+------------+
    | pid | name | path       |
    +-----+------+------------+
    | 1   | init | /sbin/init |
    +-----+------+------------+


    osqueryi --json "SELECT * FROM processes limit 1"
    [
      {"cmdline":"/sbin/init","cwd":"/","disk_bytes_read":"150400097280","disk_bytes_written":"31441313792","egid":"0","euid":"0","gid":"0","name":"init","nice":"0","on_disk":"1","parent":"0","path":"/sbin/init","pgroup":"1","pid":"1","resident_size":"396000","root":"/","sgid":"0","start_time":"0","state":"S","suid":"0","system_time":"1440","threads":"1","total_size":"19356000","uid":"0","user_time":"230","wired_size":"0"}
    ]

  3. Features Overview

  • osqueryd
    The high-performance and low-footprint distributed host monitoring daemon,osqueryd, allows you to schedule queries to be executed across your entire infrastructure. The daemon takes care of aggregating the query results over time and generates logs which indicate state changes in your infrastructure. You can use this to maintain insight into the security, performance, configuration, and state of your entire infrastructure. osqueryd’s logging can integrate into your internal log aggregation pipeline, regardless of your technology stack, via a robust plugin architecture.

  • osqueryi
    The interactive query console, gives you a SQL interface to try out new queries and explore your operating system.With the power of a complete SQL language and dozens of useful tables built-in,osqueryi is an invaluable tool when performing incident response, diagnosing an systems operations problem, troubleshooting a performance issue, etc.

  • osquery
    osquery is cross platform. Even though osquery takes advantage of very low-level operating system APIs, you can build and use osquery on Mac OS X, Ubuntu, Cent OS and other popular enterprise Linux distributions

  • plugin architecture
    To assist with the rollout process, the osquery user guide has detailed documentation on internal deployment. osquery was built so that every environment specific aspect of the toolchain can be hot-swapped at run-time with custom plugins. Use these interfaces to deeply integrate osquery into your infrastructure if one of the several existing plugins don not suit your needs

  1. Logging
    The osquery daemon uses a default filesystem logging plugin. Like the config, output from the filesystem plugin is written as JSON.Results from the query schedule are written to /var/log/osquery/osqueryd.results.log.
    There are two types of logs
    1
    2
    1. Status logs (info, warning, error, and fatal)
    2. Query schedule results logs

ref
osquery
使用osqueryd监控系统