fbpx
Back Arrow Back to All Integrations

Osquery

Osquery

Integrating with Osquery

Click here for the most updated version of this documentation.

Overview

There are two ways to integrate with Osquery:

 

Note: Commands included in this document are Linux flavor-agnostic and should work on all tested OSes, including Ubtunu, CentOS, and RHEL.

 

Sign Up For Your Free Account Today

Get your free account with Blumira and secure your Microsoft 365 environment in minutes. No credit card required.

Free Trial

Integrating with Osquery

Automating configuration with Osquery autodeploy script

To support large deployments, Blumira offers a script that will automate the process of sending logs from Osquery to Blumira.

  1. Install git.
  2. Disable auditd.
  3. Download the config file from Github: https://github.com/Blumira/blumira-osquery-config.
  4. Run this command: 
    sudo osquery-deploy.sh -s <IP of Blumira Sensor> -d [select OS: ubuntu|rhel|centos]

    Example:

    sudo osquery-deploy.sh -s 172.16.1.100 -d ubuntu

Troubleshooting the script

===== Blumira Osquery Deployment Utility =====

-h –help: View this help menu

-d –distro: Provides the linux distro to deploy osquery on (supported options: ubuntu|rhel|centos)

-s –server: Provides the server IP of the Blumira sensor to send syslog forwarding to

Configuring manually

  1. Follow the steps in Integrating with Linux Servers.
  2. Download the most recent version of osquery for your respective OS: https://osquery.io/downloads/
  3. Download Osquery config by running the following commands: 
    git clone https://github.com/palantir/osquery-configuration.git

sudo cp -av osquery-configuration/Classic/Servers/Linux/* /etc/osquery/
sudo chown -R root. /etc/osquery/

sudo systemctl enable osqueryd.service

sudo systemctl start osqueryd.service
--logger_rotate=true
--logger_rotate_size=500000000
--logger_rotate_max_files=3
  4. Create Osquery rsyslog config file by running the following command: 
    sudo vim /etc/rsyslog.d/osquery.conf

    or

    sudo nano /etc/rsyslog.d/osquery.conf
  5. Copy and paste the following code into the osquery.conf: 
    # Prep
$ModLoad imfile
$InputFilePollInterval 10
$PrivDropToGroup adm
$WorkDirectory /var/spool/rsyslog

# Apache Access File:
$InputFileName /var/log/osquery/osqueryd.results.log
$InputFileTag osqueryd:
$InputFileStateFile stat-osquery
$InputFileSeverity info
$InputFilePersistStateInterval 20000
$InputRunFileMonitor

# Tag, Forward to BLUNIX System Logger then Stop
if $programname == 'osqueryd' then stop
  6. Ensure that rsyslog will run as root by commenting out the below two lines in /etc/rsyslog.conf 
    $PrivDropToUser syslog
$PrivDropToGroup syslog

Troubleshooting

On RedHat/Centos systems in AWS, auditd is enabled and will prevent osquery process monitoring.

Verify that auditd is disabled, or disable it by running the following commands:

sudo systemctl stop auditd.service
sudo systemctl disable auditd.service
sudo systemctl restart osqueryd.service