Overview
There are two ways to integrate with Osquery:
Note: Commands included in this document are Linux flavor-agnostic and should work on all tested OSes, including Ubuntu, CentOS, and RHEL.
Before you begin
This integration requires a Blumira sensor to be installed before you can complete the steps below. Ensure that you complete the steps in Building a Blumira sensor with Ubuntu before you continue.
Gather the IP address of your Blumira sensor to use when configuring the external service.
To find and copy the IP address of the sensor, do the following:
- In Blumira, navigate to Settings > Sensors.
- Click the sensor row to open the details page.
- Under Overview, in the Host Details box, copy the IP value.
Automating configuration with Osquery autodeploy script
To support large deployments, Blumira offers a script that will automate the process of sending logs from Osquery to Blumira.
- Install git.
- Disable auditd.
- Download the config file from Github: https://github.com/Blumira/blumira-osquery-config.
- Run this command:
sudo osquery-deploy.sh -s <IP of Blumira Sensor> -d [select OS: ubuntu|rhel|centos]
Example:sudo osquery-deploy.sh -s 172.16.1.100 -d ubuntu
Troubleshooting the script
===== Blumira Osquery Deployment Utility =====
-h –help: View this help menu
-d –distro: Provides the linux distro to deploy osquery on (supported options: ubuntu|rhel|centos)
-s –server: Provides the server IP of the Blumira sensor to send syslog forwarding to
Configuring manually
- Follow the steps in Integrating with Linux OS.
- Download the most recent version of osquery for your respective OS: https://osquery.io/downloads/
- Download Osquery config by running the following commands:
git clone https://github.com/palantir/osquery-configuration.git
sudo cp -av osquery-configuration/Classic/Servers/Linux/* /etc/osquery/
sudo chown -R root. /etc/osquery/
echo "--logger_rotate=true" >> /etc/osquery/osquery.flags
echo "--logger_rotate_size=500000000" >> /etc/osquery/osquery.flags
echo "--logger_rotate_max_files=3" >> /etc/osquery/osquery.flags - Enable and then start the Osquery service by running the following commands:
sudo systemctl enable osqueryd.service sudo systemctl start osqueryd.service
- Create Osquery rsyslog config file by running the following command:
sudo vim /etc/rsyslog.d/osquery.conf
or
sudo nano /etc/rsyslog.d/osquery.conf
- Copy and paste the following code into the osquery.conf:
# Prep
$ModLoad imfile
$InputFilePollInterval 10
$PrivDropToGroup adm
$WorkDirectory /var/spool/rsyslog
# Apache Access File:
$InputFileName /var/log/osquery/osqueryd.results.log
$InputFileTag osqueryd:
$InputFileStateFile stat-osquery
$InputFileSeverity info
$InputFilePersistStateInterval 20000
$InputRunFileMonitor
# Tag, Forward to BLUNIX System Logger then Stop
if $programname == 'osqueryd' then stop -
Ensure that rsyslog will run as root by commenting out the below two lines in /etc/rsyslog.conf
$PrivDropToUser syslog
$PrivDropToGroup syslog
Troubleshooting
On RedHat/Centos systems in AWS, auditd is enabled and will prevent osquery process monitoring.
Verify that auditd is disabled, or disable it by running the following commands:
sudo systemctl stop auditd.service
sudo systemctl disable auditd.service
sudo systemctl restart osqueryd.service