Skip to content

Latest commit

 

History

History

osqueryreceiver

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
internal/metadata
internal/metadata
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
config.go
config.go
 
 
config_test.go
config_test.go
 
 
doc.go
doc.go
 
 
factory.go
factory.go
 
 
factory_test.go
factory_test.go
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
metadata.yaml
metadata.yaml
 
 
package_test.go
package_test.go
 
 

README.md

osquery Receiver

Status
Stability development: logs
Distributions []
Issues Open issues Closed issues
Code Owners @codeboten, @nslaughter, @smithclay

The osquery receiver runs queries run on an osquery's daemon on a schedule and converts the output to logs.

Configuration

The following settings are required:

  • queries: list of queries to run on an osquery daemon

The following settings are optional:

  • collection_interval (default = 10s): How often queries are run on the system
  • extensions_socket (default = /var/osquery/osquery.em): The osquery daemon's extension socket. Used to communicate with osquery on the system.

Getting started

osquery must be installed on the system where the collector is running. Once running as a daemon, the collector can connect to it using osquery's extension socket.

Example queries and data sources for querying are available in the osquery docs.

Example configuration

  osquery:
    collection_internal: 10s
    extensions_socket: /var/osquery/osquery.em
    queries:
      - "select * from certificates"
      - "select * from block_devices"