OSquery intregration.
395 views
Skip to first unread message
ocerna0721
Sep 11, 2023, 11:50:48 PM9/11/23
to Wazuh | Mailing List
Hello Wazuh community,
I have some questions about using OSquery.
I have managed to install OSquery and configure it on the client side, both osquery.conf and ossec.conf. I am attaching the configurations of each file:
/*ossec.conf*/
I added double quotes to bin_path because when I tested running C:\Program Files\osquery\osqueryd in the Windows console to enter the osquery shell, I got the following error: "E0911 15:11:51.428288 15312 init.cpp:520] osqueryd Pidfile check failed: Pidfile::Error::Busy." This is the same error that appears in the osquery dashboard event viewer in Wazuh. However, when I tried running C:\Program Files\osquery\osqueryd using double quotes in the Windows console to access the osquery shell, it worked perfectly fine.
/*osquery.conf*/
But when I use the query I'm about to show, no query result logs or errors are generated. It's worth mentioning that I've tried having only one query in the scheduled queries section, and I've changed the query execution time several times, but it still doesn't generate any logs.
I have some questions about using OSquery.
I have managed to install OSquery and configure it on the client side, both osquery.conf and ossec.conf. I am attaching the configurations of each file:
/*ossec.conf*/
<wodle name="osquery">
<disabled>no</disabled>
<run_daemon>yes</run_daemon>
<bin_path>"C:\Program Files\osquery\osqueryd"</bin_path>
<log_path>C:\Program Files\osquery\log\osqueryd.results.log</log_path>
<config_path>C:\Program Files\osquery\osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>
/*osquery.conf*/
Then I applied the following scheduled query in osquery.conf, and it worked perfectly fine:
"process_deleted_executable": {
"query": "SELECT * FROM processes WHERE on_disk = 0;",
"interval": 300,
"description": "Check the processes that have a deleted executable."
}
But when I use the query I'm about to show, no query result logs or errors are generated. It's worth mentioning that I've tried having only one query in the scheduled queries section, and I've changed the query execution time several times, but it still doesn't generate any logs.
"system_communication": {
"query": "SELECT * FROM processes WHERE pid != 0;",
"interval": 60,
"description": "Processes and Communication Ports"
}
I'm not sure if I'm doing something wrong.
Harshal Paliwal
Sep 12, 2023, 6:49:44 AM9/12/23
to Wazuh | Mailing List
Hi Team,
Thanks for using the Wazuh.
Can you please let me only this query is not working or other also not working now.
Also have you validated if this query having any results or not?
Please follow the below document for more info:
Waiting for your response soon.
Please feel free to reach out to us for any information/issues.
Regards,
ocerna0721
Sep 12, 2023, 11:02:39 AM9/12/23
to Wazuh | Mailing List
Thank you,
I managed to solve the problem. The explanation is in the OSquery documentation. I have understood that if the query returns the same values, it will not generate new logs. I confirmed this when the time passed 23:59, and it generated new values.
Thank you.
I managed to solve the problem. The explanation is in the OSquery documentation. I have understood that if the query returns the same values, it will not generate new logs. I confirmed this when the time passed 23:59, and it generated new values.
Thank you.
Reply all
Reply to author
Forward
0 new messages