Osquery (im_osquery)

This module is a wrapper for the Osquery monitoring tool. It uses filesystem-based configurations to manage its lifecycle and collect OS-specific data, ensuring seamless integration with Osquery system monitoring workflows.

Currently, the module does not support other osqueryd instances running in parallel wth it.

This module is still in development and will include new functionality and improvements in future NXLog Agent versions.

To examine the supported platforms, see the list of installation packages.

Configuration

The im_osquery module accepts the following directives in addition to the common module directives.

Required directives

The following directives are required for the module to start.

QueryMap

Block directive to define scheduled queries and their parameters. You can specify more than one QueryMap directive in the same module instance. QueryMap supports the following directives:

Name: Required directive specifying a distinct name for the QueryMap block.

Query: Required directive specifying the query in the Osquery SQL language.

Interval: Optional directive to specify the poll interval in seconds. The default value is 60.

Removed: Optional boolean directive to specify whether removed actions should be included in the result. The default value is TRUE.

Optional directives

CaptureErrorLog

Boolean directive to specify whether NXLog Agent should monitor the osqueryd.ERROR file for changes and write osqueryd errors in the NXLog Agent log file. The default value is FALSE.

ClearOnExit

Boolean directive to specify whether the module should delete all Osquery log files when it stops. The osqueryd.results.log file is exempt from this policy and is preserved when SavePos is TRUE. The default value is TRUE.

CreateDir

Boolean directive to specify whether the module should create the folder specified by the Path directive if it does not exist. The default value is TRUE.

Force

Boolean directive to specify if all osqueryd instances should be forced to restart when the module starts. The default value is TRUE.

LogRotation

Boolean directive to specify whether to rotate the logs when they exceed the size limit defined by LogRotationSize. The default value is TRUE.

LogRotationSize

Specifies the maximum osqueryd result file size in bytes. The default is 10,485,760 bytes (10 MB). This directive is only valid if LogRotation is TRUE.

Path

Specifies the full folder path where the osqueryd configuration files are located.

If this directive is not specified, the module creates a sub-folder in the SpoolDir directory. For example, if SpoolDir is /opt/nxlog/var/spool/nxlog, which is the default on Linux-based installations, the Osquery path is set to /opt/nxlog/var/spool/osquery.

SavePos

This optional boolean directive instructs the module whether to save the position of the last read event before NXLog Agent exits. On the next startup, NXLog Agent will try to read the saved position from the cache file.

When TRUE, the position of the last read event are saved and will be read from the cache file upon startup.
If this directive is not specified, it defaults to TRUE.

This directive can be overridden by the global NoCache directive. If NoCache is TRUE, the SavePos directive is considered to be FALSE.

Examples

Example 1. Collecting Osquery logs with minimal configuration

This configuration creates event records from three Osquery tables—system_info, memory_info, and osquery_info.

nxlog.conf

<Input osquery>
    Module          im_osquery

    <QueryMap>
        Name        system_info
        Query       "SELECT * FROM system_info"
    </QueryMap>

    <QueryMap>
        Name        memory_usage
        Query       "SELECT * FROM memory_info"
        Removed     FALSE
    </QueryMap>

    <QueryMap>
        Name        processes
        Query       "SELECT i.*, p.resident_size, p.user_time, p.system_time, t.minutes AS c FROM osquery_info i, processes p, time t WHERE p.pid = i.pid;"
    </QueryMap>

</Input>