Overview
There are two ways to integrate with Osquery:
Before you begin
This integration requires a Blumira sensor to be installed before you can complete the steps below. Ensure that you complete the steps in Building a Blumira sensor with Ubuntu before you continue.
Gather the IP address of your Blumira sensor to use when configuring the external service.
To find and copy the IP address of the sensor, do the following:
- In Blumira, navigate to Ingestion > Sensors.
- Click the sensor row to open the details page.
- In the Overview section, next to Host Details, copy the IP address.
Automating configuration with Osquery autodeploy script
To support large deployments, Blumira offers a script that will automate the process of sending logs from Osquery to Blumira.
- Install git.
- Disable auditd.
- Download the config file from Github: https://github.com/Blumira/blumira-osquery-config.
-
Run this command:
sudo osquery-deploy.sh -s <IP of Blumira Sensor> -d [select OS: ubuntu|rhel|centos]Example:
sudo osquery-deploy.sh -s 172.16.1.100 -d ubuntu
Troubleshooting the script
===== Blumira Osquery Deployment Utility =====
| -h –help | View this help menu |
| -d –distro | Provides the linux distro to deploy osquery on (supported options: ubuntu|rhel|centos) |
| -s –server | Provides the server IP of the Blumira sensor to send syslog forwarding to |
Configuring manually
- Follow the steps in Integrating with Linux OS.
- Download the most recent version of osquery for your respective OS: https://osquery.io/downloads/
-
Download Osquery config by running the following commands:
git clone https://github.com/palantir/osquery-configuration.git sudo cp -av osquery-configuration/Classic/Servers/Linux/* /etc/osquery/ sudo chown -R root. /etc/osquery/ echo "--logger_rotate=true" >> /etc/osquery/osquery.flags echo "--logger_rotate_size=500000000" >> /etc/osquery/osquery.flags echo "--logger_rotate_max_files=3" >> /etc/osquery/osquery.flags -
Enable and then start the Osquery service by running the following commands:
sudo systemctl enable osqueryd.service sudo systemctl start osqueryd.service -
Create Osquery rsyslog config file by running the following command:
sudo vim /etc/rsyslog.d/osquery.confor
sudo nano /etc/rsyslog.d/osquery.conf -
Copy and paste the following code into the osquery.conf:
# Prep $ModLoad imfile $InputFilePollInterval 10 $PrivDropToGroup adm $WorkDirectory /var/spool/rsyslog # Apache Access File: $InputFileName /var/log/osquery/osqueryd.results.log $InputFileTag osqueryd: $InputFileStateFile stat-osquery $InputFileSeverity info $InputFilePersistStateInterval 20000 $InputRunFileMonitor # Tag, Forward to BLUNIX System Logger then Stop if $programname == 'osqueryd' then stop -
Ensure that rsyslog will run as root by commenting out the below two lines in /etc/rsyslog.conf
$PrivDropToUser syslog $PrivDropToGroup syslog
Troubleshooting
On RedHat/Centos systems in AWS, auditd is enabled and will prevent osquery process monitoring.
Verify that auditd is disabled, or disable it by running the following commands:
sudo systemctl stop auditd.service
sudo systemctl disable auditd.service
sudo systemctl restart osqueryd.service