Osquery
Osquery provides easy access to operating system logs via SQL queries as it exposes operating system data in a relational data model.
According to Osquery’s documentation, osquery "does not implement log forwarding internally." In fact, "the act of forwarding logs and analyzing logs is mostly left as an exercise for the reader." NXLog can be integrated with osquery to forward logs when deployed on Windows, MacOS, Linux, and FreeBSD.
Using Osquery
Osquery utilizes SQL queries to retrieve information.
The following simple SELECT
statement lists process information:
SELECT pid, name, path FROM processes;
pid | name | path |
---|---|---|
1 |
bash |
/usr/bin/bash |
162 |
nxlog |
/opt/nxlog/bin/nxlog |
178 |
osquery |
/usr/bin/osqueryd |
22 |
bash |
/usr/bin/bash |
37 |
vim |
/usr/bin/vim |
pid | name | path |
---|---|---|
0 |
[System Process] |
|
4 |
System |
|
244 |
smss.exe |
C:\Windows\System32\smss.exe |
324 |
csrss.exe |
C:\Windows\System32\csrss.exe |
404 |
csrss.exe |
C:\Windows\System32\csrss.exe |
412 |
wininit.exe |
C:\Windows\System32\wininit.exe |
596 |
svchost.exe |
C:\Windows\System32\svchost.exe |
For more information about osquery commands, see the osqueryi (shell) and SQL Introduction sections on the osquery website.
Configuring Osquery
The osqueryd
daemon allows scheduling queries and provides two types of
logging:
-
differential — logs changes in the system between the previous and the current query executions.
-
snapshot — logs the data set obtained in a certain point in time.
For more information on installing osquery, see the Getting Started section on the osquery website.
Osquery can be configured via the osquery.conf
file using a JSON format.
This file should be located under the following paths:
-
Linux:
/etc/osquery/
-
Windows:
C:\Program Files\osquery\
-
FreeBSD:
/usr/local/etc/
-
MacOS:
/private/var/osquery/
The following configuration is an example of a differential logging
configuration. The schedule
object contains the nested processes
object,
which contains two fields:
-
query
— This key specifies the SQL statement. In this case, it selects all entries from theprocesses
table. -
interval
— This key contains the number of seconds after which the statement is executed again. In this example, the query is executed every 10 seconds.
{
"schedule": {
"processes": {
"query": "SELECT pid, name, path FROM processes;",
"interval": 10
}
}
}
The following configuration is an example of the snapshot logging configuration.
The processes
object contains the additional snapshot
key, which is a
boolean flag to enable the snapshot logging mode.
{
"schedule": {
"processes": {
"query": "SELECT pid, name, path FROM processes;",
"interval": 10,
"snapshot": true
}
}
}
For more information, see the Configuration section on the osquery website.
Log samples
Osquery creates status logs of its own execution for both differential and snapshot logging.
Execution logs are stored in the following files:
-
osqueryd.INFO,
-
osqueryd.WARNING,
-
osqueryd.ERROR.
By default, all osquery log files are available under the following paths:
-
On Unix-like systems:
/var/log/osquery/
-
On Windows:
C:\Program Files\osquery\log\
Below are the samples of the execution logs from Ubuntu and Windows.
Log file created at: 2019/11/25 10:07:54
Running on machine: ubuntu
Log line format: [IWEF]mmdd hh:mm:ss.uuuuuu threadid file:line] msg
I1125 10:07:54.233732 28060 events.cpp:863] Event publisher not enabled: auditeventpublisher: Publisher disabled via configuration
I1125 10:07:54.233835 28060 events.cpp:863] Event publisher not enabled: syslog: Publisher disabled via configuration
Log file created at: 2019/11/28 10:57:00
Running on machine: WIN-SFULD4GOF4H
Log line format: [IWEF]mmdd hh:mm:ss.uuuuuu threadid file:line] msg
I1128 10:57:00.979398 3908 scheduler.cpp:105] Executing scheduled query processes: SELECT pid, name, path FROM processes;
E1128 10:57:01.009029 3908 processes.cpp:312] Failed to lookup path information for process 4
E1128 10:57:01.024600 3908 processes.cpp:332] Failed to get cwd for 4 with 31
I1128 10:58:01.649113 3908 scheduler.cpp:105] Executing scheduled query processes: SELECT pid, name, path FROM processes;
E1128 10:58:01.681404 3908 processes.cpp:312] Failed to lookup path information for process 4
E1128 10:58:01.712568 3908 processes.cpp:332] Failed to get cwd for 4 with 31
The osqueryd.results.log
file stores differential log entries.
Below are the samples of the differential logs from Ubuntu and Windows.
{"name":"users","hostIdentifier":"ubuntu","calendarTime":"Mon Nov 25 09:11:40 2019 UTC","unixTime":1574673100,"epoch":0,"counter":0,"logNumericsAsNumbers":false,"columns":{"directory":"/","uid":"111","username":"kernoops"},"action":"removed"}
{"name":"users","hostIdentifier":"ubuntu","calendarTime":"Mon Nov 25 09:11:40 2019 UTC","unixTime":1574673100,"epoch":0,"counter":0,"logNumericsAsNumbers":false,"columns":{"directory":"/bin","uid":"2","username":"bin"},"action":"removed"}
{"name":"processes","hostIdentifier":"WIN-SFULD4GOF4H","calendarTime":"Fri Nov 29 18:18:00 2019 UTC","unixTime":1575051480,"epoch":0,"counter":23,"logNumericsAsNumbers":false,"columns":{"name":"conhost.exe","path":"C:\\Windows\\System32\\conhost.exe","pid":"2936"},"action":"removed"}
{"name":"processes","hostIdentifier":"WIN-SFULD4GOF4H","calendarTime":"Fri Nov 29 18:18:00 2019 UTC","unixTime":1575051480,"epoch":0,"counter":23,"logNumericsAsNumbers":false,"columns":{"name":"dllhost.exe","path":"C:\\Windows\\System32\\dllhost.exe","pid":"3784"},"action":"removed"}
The osqueryd.snapshots.log
file stores snapshot logs.
Below are the samples of the snapshot logs from Ubuntu and Windows.
{"snapshot":[{"name":"gsd-rfkill","path":"/usr/lib/gnome-settings-daemon/gsd-rfkill","pid":"944"},{"name":"gsd-screensaver","path":"/usr/lib/gnome-settings-daemon/gsd-screensaver-proxy","pid":"947"},{"name":"gsd-sharing","path":"/usr/lib/gnome-settings-daemon/gsd-sharing","pid":"949"},{"name":"gsd-smartcard","path":"/usr/lib/gnome-settings-daemon/gsd-smartcard","pid":"955"},{"name":"gsd-sound","path":"/usr/lib/gnome-settings-daemon/gsd-sound","pid":"962"},{"name":"gsd-wacom","path":"/usr/lib/gnome-settings-daemon/gsd-wacom","pid":"965"},{"name":"kstrp","path":"","pid":"98"}],"action":"snapshot","name":"users","hostIdentifier":"ubuntu","calendarTime":"Mon Nov 25 09:14:25 2019 UTC","unixTime":1574673265,"epoch":0,"counter":0,"logNumericsAsNumbers":false}
{"snapshot":[{"name":"[System Process]","path":"","pid":"0"},{"name":"System","path":"","pid":"4"},{"name":"smss.exe","path":"C:\\Windows\\System32\\smss.exe","pid":"244"},{"name":"csrss.exe","path":"C:\\Windows\\System32\\csrss.exe","pid":"328"},{"name":"wininit.exe","path":"C:\\Windows\\System32\\wininit.exe","pid":"408"},{"name":"winlogon.exe","path":"C:\\Windows\\System32\\winlogon.exe","pid":"452"},{"name":"services.exe","path":"C:\\Windows\\System32\\services.exe","pid":"512"},{"name":"RuntimeBroker.exe","path":"C:\\Windows\\System32\\RuntimeBroker.exe","pid":"2664"},{"name":"sihost.exe","path":"C:\\Windows\\System32\\sihost.exe","pid":"2700"},{"name":"svchost.exe","path":"C:\\Windows\\System32\\svchost.exe","pid":"2708"}],"action":"snapshot","name":"processes","hostIdentifier":"WIN-SFULD4GOF4H","calendarTime":"Fri Nov 29 18:13:04 2019 UTC","unixTime":1575051184,"epoch":0,"counter":0,"logNumericsAsNumbers":false}
For more information about the logging system of osquery, see the Logging section on the osquery website.
Configuring NXLog
This section provides examples on how to configure NXLog to integrate with osquery.
The following configuration uses the im_file module to read the osquery log entries and process them with the xm_json module.
<Extension _json>
Module xm_json
</Extension>
<Input osquery_diff>
Module im_file
File "/var/log/osquery/osqueryd.results.log"
Exec parse_json();
</Input>
<Input osquery_snap>
Module im_file
File "/var/log/osquery/osqueryd.snapshots.log"
Exec parse_json();
</Input>
The following configuration uses the im_file module to read the osquery log entries and process them with the xm_json module.
<Extension _json>
Module xm_json
</Extension>
<Input osquery_diff>
Module im_file
File "C:\\Program Files\\osquery\\log\\osqueryd.results.log"
Exec parse_json();
</Input>
<Input osquery_snap>
Module im_file
File "C:\\Program Files\\osquery\\log\\osqueryd.snapshots.log"
Exec parse_json();
</Input>
Using an appropriate output module, NXLog can be configured to forward osquery logs to a remote system. As an example, the om_tcp module is used.
<Output snap_out>
Module om_tcp
Host 192.168.1.1
Port 1515
</Output>