top | item 14348372

(no title)

fiorix | 8 years ago

You can configure osquery to execute periodic queries (scheduled queries) of all kinds: computing md5 of your binaries and other files, taking a snapshot of sockets/connections per process, and so on.

By default, osquery uses glog, which means it'll output the results to a local file that you can ship anywhere you want. There's also logging plugins to help you push the results of scheduled queries to other systems.

Once you have that data flowing through your pipelines you can start doing security/anomaly detection on things.

discuss

anonymousDan|8 years ago

But do you need an installation of osquery on the remote machines too? Or some kind of remote agent? Or does it just try to login to each remote machine over e.g. SSH?

coredog64|8 years ago

It's a remote agent. If you want the scheduled execution, you install the program and configure it internally to run on a schedule.

I haven't finished the work yet, but my employer will be feeding the log results into our ELK stack.

There are other frontends like 'doorman' which allow for ad hoc queries. That is a little more work to stand up.