I am running osquery on Ubuntu 16.04 LTS. I tried running commands like-
select * from file_events;
but got the below error:
W1202 19:24:59.876035 4565 virtual_table.cpp:492] Table file_events is event-based but events are disabled
W1202 19:24:59.876058 4565 virtual_table.cpp:499] Please see the table documentation: https://osquery.io/docs/#file_events
what might I be doing wrong? Do I need to enable any configurations?
OSQuery needs to know what file paths it should be monitoring, this will be used to generate events for this table, and is defined in the configuration:
https://osquery.readthedocs.io/en/stable/deployment/file-integrity-monitoring/
@iyerabhi07, let us know if that documentation on file integrity monitoring doesn't help, I am slowly working on making the https://osquery.io documentation more helpful and will point it to that wiki page @fuzzball5000 linked soon.
Hi, sorry for being a noob. but where do i go and write the file paths that i need monitored? is it in some conf file?
The specific stanzas you'll need to create for FIM are in the link which I included in my previous comment. For a basic setup, you'll be looking at making changes to an /etc/osquery/osquery.conf (if Linux) file as described here: https://osquery.readthedocs.io/en/stable/deployment/configuration/
@fuzzball5000 Thanks for the suggestion. I was trying that. I added
"file_events": {
"query": "select * from file_events;",
"removed": false,
"interval": 300
}
with "schedule"tag and added the below outside the schedule
"file_paths": {
"homes": [
"/root/.ssh/%%",
"/home/%/.ssh/%%"
],
"etc": [
"/etc/%%"
],
"tmp": [
"/tmp/%%"
]
}
still not working. :(
That configuration will be checking for file change events every 300 seconds against the paths you have defined, and logging the results in /var/log/osquery/osquery.results.log. Have you checked in there, or are you running queries from the OSQuery interactive shell (osqueryi)? Also I assume you've created/modified files on the monitored paths since starting the osqueryd service?
Hi, I was back at it again. @fuzzball5000 . Its still not working :(
I am running osqueryi from the terminal. and I did modify- create and delete file in the directory.
I used the below config file after which I started the osqueryd service. There are no JSON parsing errors but still it says events are disabled.
{
"options": {
"config_plugin": "filesystem",
"logger_plugin": "filesystem",
"logger_path": "/var/log/osquery",
"events_expiry": "3600",
"verbose": "false",
"worker_threads": "2",
"enable_monitor": "true"
},
"schedule": {
"system_info": {
"query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;",
"interval": 3600
},
"file_events": {
"query": "SELECT * from file_events;",
"removed": false,
"interval": 30
}
},
"file_paths": {
"homes": [
"/home/abhi/%%"
]
},
"decorators": {
"load": [
"SELECT uuid AS host_uuid FROM system_info;",
"SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
]
},
"packs": {
}
}
what could be the reason osqueryi is not picking the desired config? i included the .conf file with --config_path flag
The config is used by osqueryd. When the osqueryd daemon starts up, it will create inotify watches which will be used to power the file_events virtual tables.
Use the config you have with the osqueryd daemon, it will work :)
@fuzzball5000 thanks Gary. I was able to generate events from the daemon osqueryd. How can I use the interactive shell- osqueryi to see those events?
Glad to hear it's working :) It's not possible to query the event-based tables from osqueryi; you'll have to craft suitable scheduled queries in the configuration passed to osqueryd. I'm assuming you want to view/search nicely formatted output, so I would put something like Splunk, ELK, OSQuery's AWS output plugin etc to task in scooping up the json format output and aggregating it for you.
Cheers.
Got it. I have integrated the osqueryd result to a log aggregation platform. It is pretty neat. Thanks Gary for all your help!
@fuzzball5000: can I do a automatic config reload for the daemon?
@iyerabhi07, there's no auto-reload for the filesystem config plugin right now. It could be implemented with a signal handler if anyone is feeling enterprising? Send SIGUSR2 or SIGHUP to request a re-read of the JSON. Then write a reload function for the systemd/upstart script.