OSQUERY Schedule in 2.4

[Hammy-72]

Version

2.4.90

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

airgap

Hardware Specs

Exceeds minimum requirements

CPU

8

RAM

128

Storage for /

4 TB

Storage for /nsm

4 TB

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hi, I am loving the product. However, before going to 2.4.x was working perfectly the osquery scheduling. Now, when there is no schedule tab it's just the query you put in and I put in 3600s. I do not see it ever kicking off as a schedule by itself. I come in next day it never ran by itself. I can manually run and it's fine. Any ideas why as to it's not working as interval configuration is set?

Thanks guys.

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[reyesj2]

In OSQUERY under packs click on "Add pack" and then "Add Query". Then under "Scheduled agent policies" You can add for example "endpoint-initial" policy if you're using the default endpoint policy for your elastic agents.

I created a test pack and I can see the data coming in every 30 seconds (I set my queries to 30s for testing). I am looking at SOC -> Hunt -> OSQUERY - Live Query. It is a default dashboard included in Security Onion for Hunt.

You could then create a new Sigma Detection to monitor the incoming OSQUERY data and generate an alert when it meets your criteria