Skip to content

splunk/TA-osquery

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

57 Commits
.circleci
.circleci
 
 
config
config
 
 
default
default
 
 
metadata
metadata
 
 
static
static
 
 
.gitignore
.gitignore
 
 
LICENSE.txt
LICENSE.txt
 
 
README.md
README.md
 
 

Repository files navigation

TA-osquery

osquery-logo

A Splunk technology add-on for osquery

Join the conversation at Slack Status

branch build status
master master status
  • Sourcetype: osquery:results, osquery:snapshots, osquery:INFO, osquery:WARNING, osquery:ERROR
  • Has index-time ops: false

Features

  • Parses and extracts fields for the following logs:
    • osqueryd.INFO, osqueryd.WARNING, osqueryd.ERROR
    • osqueryd.results.log (from process_events and file_events tables)
    • osqueryd.snapshots.log
  • Provides Datamodel Mapping for:
    • Alerts Data Model based on alerts from packs
    • Changes Data Model based on custom splunk query pack
    • Endpoint Data Model based on custom splunk query pack
  • Does correct time extraction
  • Currently documented and tested for macOS only, although parsing logic can be reused for *nix & Windows if desired.

Deploying TA

  1. Copy default/inputs.conf to local/inputs.conf and uncomment all the stanzas
  2. Drop the TA on the Search Head(s), Indexer(s), Heavy Forwarder (if required, or if using AWS), and Universal Forwarder (if required).

Setting up osquery for local logging

This deployment process has been documented and tested based on Mac OS Mojave. It is important that you thoroughly test this on your environment before rolling out to production. Ref: https://osquery.readthedocs.io

#!/bin/bash
sudo spctl --master-disable
sudo installer -pkg osquery.pkg -target /
sudo mkdir /var/log/osquery
sudo cp splunk.conf /var/osquery/packs
sudo cp osquery.conf /var/osquery/osquery.conf
sudo mv /etc/security/audit_control /etc/security/audit_control.bak
sudo echo "#
# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#8 $
#
dir:/var/audit
flags:ex,pc,ap,aa,lo,ad
minfree:5
naflags:no
policy:cnt,argv,arge
filesz:2M
expire-after:10M
superuser-set-sflags-mask:has_authenticated,has_console_access
superuser-clear-sflags-mask:has_authenticated,has_console_access
member-set-sflags-mask:
member-clear-sflags-mask:has_authenticated" > /etc/security/audit_control
sudo spctl --master-enable
sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.auditd.plist
sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist
sudo /usr/local/bin/osqueryctl start

Logging to AWS (preferred)

osquery config

This is the preferred collection method as it removes the need for a Universal Forwarder on each endpoint and ensures remote log connection can be achieved whether or not the endpoint is connected to the corporate network. Splunk Cloud is great way of logging from endpoints but would still require a Universal Forwarder to be rolled out.

The install process is the same as above, apart from the osquery.conf needs to be modified to log to AWS. This can be done by following the osquery doc https://osquery.readthedocs.io/en/stable/deployment/aws-logging/

splunk config

  1. Install and configure Splunk Add-On For Amazon Web Services on your Heavy Forwarder to pull your osquery events from your S3 bucket.

To Do's

  • Test Changes Data model mapping for FIM events in the results log
  • Document a 'Logging locally' method, whereby log rotation is discussed, and running Splunk UF as root to read the log file.

Author

Contributors

  • Jamie Widley

About

A Splunk technology add-on for osquery

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

14 stars

Watchers

16 watching

Forks

8 forks
Report repository

Releases 2

v1.0.1 Latest
Dec 21, 2019
+ 1 release

Packages

No packages published

Contributors 2

  •  
  •