Quick Links

Integrating with Osquery

Overview

There are two ways to integrate with Osquery:

Note: Commands included in this document are Linux flavor-agnostic and should work on all tested OSes, including Ubuntu, CentOS, and RHEL.

Before you begin

This integration requires a Blumira sensor to be installed before you can complete the steps below. Ensure that you complete the steps in Building a Blumira sensor with Ubuntu before you continue.

Gather the IP address of your Blumira sensor to use when configuring the external service.

To find and copy the IP address of the sensor, do the following:

  1. In Blumira, navigate to Settings > Sensors.
  2. Click the sensor row to open the details page.
  3. In the Overview section, next to Host Details, copy the IP address.

Automating configuration with Osquery autodeploy script

To support large deployments, Blumira offers a script that will automate the process of sending logs from Osquery to Blumira.

  1. Install git.
  2. Disable auditd. 
  3. Download the config file from Github: https://github.com/Blumira/blumira-osquery-config.
  4. Run this command: 
    sudo osquery-deploy.sh -s <IP of Blumira Sensor> -d [select OS: ubuntu|rhel|centos]
    Example:
    sudo osquery-deploy.sh -s 172.16.1.100 -d ubuntu

Troubleshooting the script

===== Blumira Osquery Deployment Utility =====

   -h –help: View this help menu

   -d –distro: Provides the linux distro to deploy osquery on (supported options: ubuntu|rhel|centos)

   -s –server: Provides the server IP of the Blumira sensor to send syslog forwarding to

Configuring manually

  1. Follow the steps in Integrating with Linux OS.
  2. Download the most recent version of osquery for your respective OS: https://osquery.io/downloads/ 
  3. Download Osquery config by running the following commands:
    git clone https://github.com/palantir/osquery-configuration.git

    sudo cp -av osquery-configuration/Classic/Servers/Linux/* /etc/osquery/

    sudo chown -R root. /etc/osquery/

    echo "--logger_rotate=true" >> /etc/osquery/osquery.flags
    echo "--logger_rotate_size=500000000" >> /etc/osquery/osquery.flags
    echo "--logger_rotate_max_files=3" >> /etc/osquery/osquery.flags
  4. Enable and then start the Osquery service by running the following commands:
    sudo systemctl enable osqueryd.service
    sudo systemctl start osqueryd.service
  5. Create Osquery rsyslog config file by running the following command: 
    sudo vim /etc/rsyslog.d/osquery.conf

    or

    sudo nano /etc/rsyslog.d/osquery.conf
  6. Copy and paste the following code into the osquery.conf:
    # Prep
    $ModLoad imfile
    $InputFilePollInterval 10
    $PrivDropToGroup adm
    $WorkDirectory /var/spool/rsyslog

    # Apache Access File:
    $InputFileName /var/log/osquery/osqueryd.results.log
    $InputFileTag osqueryd:
    $InputFileStateFile stat-osquery
    $InputFileSeverity info
    $InputFilePersistStateInterval 20000
    $InputRunFileMonitor

    # Tag, Forward to BLUNIX System Logger then Stop
    if $programname == 'osqueryd' then stop
  7. Ensure that rsyslog will run as root by commenting out the below two lines in /etc/rsyslog.conf

    $PrivDropToUser syslog
    $PrivDropToGroup syslog

Troubleshooting

On RedHat/Centos systems in AWS, auditd is enabled and will prevent osquery process monitoring.

Verify that auditd is disabled, or disable it by running the following commands:

sudo systemctl stop auditd.service
sudo systemctl disable auditd.service
sudo systemctl restart osqueryd.service