Installing osquery in Windows using Wazuh Agent

1,263 views
Skip to first unread message

Carlos Lopez

unread,
Mar 30, 2021, 1:44:40 AM3/30/21
to wa...@googlegroups.com
Hi all,

I have a small pool of Windows stations that I manage through the Wazuh agent for auditing purposes. Much of the data I collect from all platforms is done through osquery.

My question is: is it possible to install osquery for windows remotely using for example commad wodle?

Best regards.

Gabriel Wassan

unread,
Mar 30, 2021, 12:39:28 PM3/30/21
to Wazuh mailing list

Hello Carlos Lopez, 
At the moment we do not have an official way to perform this type of installation, but we recommend that you follow this guide to generate and install a custom WPK.
Any other questions, please write.
Regards

Gabriel Wassan

unread,
Mar 31, 2021, 11:52:16 AM3/31/21
to Wazuh mailing list
Hi Carlos, a little more information here:
For the use of wodle command here is a guide

This module is used to execute commands in the agents, in this case Osquery, below I give you a configuration example:

<wodle name = "command">
 <disabled> no </disabled>
 <tag> install_osquery </tag>
<command> HERE_THE_COMMAND_OR_SCRIPT_TO_INSTALL_OSQUERY </command>
 <interval> 1d </interval>
 <ignore_output> no </ignore_output>
 <run_on_start> yes </run_on_start>
 <timeout> 0 </timeout>
</wodle>

To configure this from the Manager and send the configuration to the Agent, you must enable in the agent an option to accept remote commands (this is for security), here the guide, but this module is designed to execute commands periodically, so it is not convenient to install a package since each interval would launch the command again. That is why the most appropriate option is WPKs.

You would need to generate a WPK with the osquery installation package and the necessary scripts to run the installation.

What is WPK?
Some context, WPK is a special package prepared for managers to share it with agents and they are able to unpack and run them through a module called agent upgrade, this module has certificate authentication to make sure they don't run anything illegitimate. For example, it is used to remotely update the agents to a new version.

What do you need to create a WPK?
- The Osquery package you want to install (probably an .msi)
- The script, which when sending the WPK executes the agent when unpacking, the one mentioned here for Windows will be a .bat

I am going to send you the tools privately so that you can generate the WPK for the agent in a practical and safe way. These tools have their own README with their user guide.

Finally, to send the WPK to the agent and run it, you have it in this guide, to install the certificates that have been generated in the agent, and from the manager send the WPK and let it run.

Best Regards.
Reply all
Reply to author
Forward
0 new messages