Osquery fleet4/6/2023 ![]() A system administrator's guide to IT automation.Ansible Automation Platform beginner's guide. ![]() FleetDM makes this process simple, allowing you to execute queries regularly across thousands of hosts and centralize the results. The ability to centrally manage scheduled queries and forward them to a log destination is a great way to simplify the management of your Osquery environment. I can inspect the log file on the FleetDM server after 15 minutes to see the query result: $ docker exec -it fleetdm_fleet_1 cat /tmp/osquery_result | tail -n 1 | jq To test the query, I create a new user on one of the hosts in my environment: $ sudo useradd testuser For this example, I scheduled the query to run as a differential snapshot every 15 minutes against all Linux hosts: The Schedule editor allows you to set the query frequency, define the logging type, and choose the platform that the query executes against. Once you have defined and saved the query, you can schedule it to run by navigating to Schedule and selecting Schedule a query. I'll use the same query from above (and my previous article) to find all non-root users on a system. Instead of running the query, you can save it to execute later. Scheduling a query requires defining a saved query on the Query page using the same steps from the previous section. This logs scheduled query results to a file on the FleetDM server. FleetDM supports various destinations, but it uses the filesystem destination by default. Centrally managing scheduled queries provides a way to gain visibility into changes across your entire environment.įleetDM supports scheduling queries across your Osquery-enabled hosts and forwarding the logs to a central destination. Scheduled queries are an excellent tool for detecting system changes. The second article in my OSquery series discussed using scheduled queries to poll information about a system regularly. The results can then be accessed directly in the FleetDM user interface (UI) or exported for consumption by other systems. You can also save commonly used queries so that they are easily accessible in the future. View larger video (Anthony Critelli, CC BY-SA 4.0)įleetDM's Query page makes it easy to run ad-hoc queries across dozens or hundreds of hosts simultaneously. The results of the query appear in the web interface as they arrive from connected hosts: I only have two hosts connected to FleetDM, so I run it against both by selecting all Linux hosts and clicking Run. FleetDM allows you to filter and select the hosts you want the query to execute against. Once you have defined a query, you can save it or run it immediately with the Run query button. For this example, I'm using the same query from my previous article to find a list of processes and usernames being run by non-root users. The New query dialog allows you to define a query and includes a helpful reference for tables in the Osquery schema. To create and execute a new query, navigate to Queries and select Create new query. You can run queries against all your hosts, select a subset of hosts based on their operating system, or manually select individual hosts. The Query page allows you to define, save, and run queries against your hosts. ![]() FleetDM enables you to run queries across all of your Osquery-enabled hosts and aggregate the results for easier processing. Running a query from the local system's shell quickly becomes untenable if you want to query many hosts. The first article in my Osquery series discussed how Osquery can run ad-hoc queries using the interactive osqueryi shell.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |