-
Notifications
You must be signed in to change notification settings - Fork 103
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
osquery - Managed Log Source #133
Comments
You're welcome to have my work on this once i've ironed it out a bit. Let me know how best to contribute. |
OSQuery Result logsJust for context, I created this ingestion against logs that are directed to a kinesis firehose by our OSquery management system (in this case, FleetDM) which then dumps it in to the ingestion bucket. Parts of the OSquery result logs depend on configuration. e.g. the Looking at the Elastic implementation for osquery result logs, it does a lot. And the schema assumes a lot about the structure of the query data and decorators. This is because OSquery integrates in to their wider solution, and they have control over the configuration and queries issued to agents - something that Matano cannot control or make assumptions about. So the approach I've taken is to leave the Here's what that looks like:
That covers the basics enough for normalising the results in to ECS for storage. My specific ingestion does a lot more, because I configure a number of |
OSquery Status LogsSimilar approach to the result logs, but there's more info in here we can rely on to normalise out to ECS.
|
A matano managed log source for osquery has been requested by a few community users, would be great to support pulling logs from osquery (e.g. query results, diffs) and storing them in a Matano data lake for endpoint context.
The text was updated successfully, but these errors were encountered: