CentOS 7
Ads

OSQuery : Scheduled Monitoring
2016/10/16
 
Configure Scheduling and start Daemon to output logs regulary.
[1] Set configration in OSQuery conf file like follows.
[root@dlp ~]#
vi /etc/osquery/osquery.conf
# create new

{
  "options": {
    // select the osquery config plugin (filesystem is default)
    "config_plugin": "filesystem",

    // select the osquery logging plugin (filesystem is default)
    "logger_plugin": "filesystem",

    // the PATH of log direcroty
    "logger_path": "/var/log/osquery",

    // PID file of the daemon
    "pidfile": "/var/osquery/osquery.pidfile",

    // the number of threads for concurrent query
    "worker_threads": "2",

    // enable schedule profiling
    // if adding a query "select * from osquery_schedule" in schedule section,
    // it's possible to record the performances
    "enable_monitor": "true"
  },

  "schedule": {
    // for example, get CPU Time per 300 seconds
    "cpu_time": {
      "query": "SELECT * FROM cpu_time;",
      "interval": 300
    },
    // for example, get settings of resolv.conf per an hour
    "dns_resolvers": {
      "query": "SELECT * FROM dns_resolvers;",
      "interval": 3600
    }
  },

   "packs": {
     // possible to include other configration files
     "hardware-monitoring": "/usr/share/osquery/packs/hardware-monitoring.conf"
   }
}

[root@dlp ~]#
systemctl start osqueryd

[root@dlp ~]#
systemctl enable osqueryd
[2] The query logs are output in the file like follows. But the results are recorded to the file only when there are some differences between the current result and the previous result.
[root@dlp ~]#
cat /var/log/osquery/osqueryd.results.log

{"name":"system_info","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:37:35 2016 UTC","unixTime":"1...
{"name":"system_info","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:37:35 2016 UTC","unixTime":"1...
{"name":"system_info","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:37:35 2016 UTC","unixTime":"1...
{"name":"system_info","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:37:35 2016 UTC","unixTime":"1...
{"name":"system_info","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:37:35 2016 UTC","unixTime":"1...
{"name":"system_info","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:37:35 2016 UTC","unixTime":"1...
{"name":"system_info","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:37:35 2016 UTC","unixTime":"1...
{"name":"system_info","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:37:35 2016 UTC","unixTime":"1...
{"name":"dns_resolvers","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:38:00 2016 UTC","unixTime":...
{"name":"dns_resolvers","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:38:00 2016 UTC","unixTime":...
{"name":"system_info","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:38:30 2016 UTC","unixTime":"1...
{"name":"system_info","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:38:30 2016 UTC","unixTime":"1...
{"name":"system_info","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:38:30 2016 UTC","unixTime":"1...
{"name":"system_info","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:38:30 2016 UTC","unixTime":"1...
{"name":"system_info","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:38:30 2016 UTC","unixTime":"1...
{"name":"system_info","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:38:30 2016 UTC","unixTime":"1...
{"name":"system_info","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:38:30 2016 UTC","unixTime":"1...
{"name":"system_info","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:38:30 2016 UTC","unixTime":"1...
{"name":"system_info","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:39:25 2016 UTC","unixTime":"1...
{"name":"system_info","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:39:25 2016 UTC","unixTime":"1...
 
Tweet