osquery
140 views
Skip to first unread message
stetnt4
Nov 20, 2023, 3:13:52 AM11/20/23
to Wazuh | Mailing List
no one uses it?
пятница, 17 ноября 2023 г. в 17:49:51 UTC+3, stetnt4:
Nahuel Figueroa
Nov 21, 2023, 7:15:47 AM11/21/23
to Wazuh | Mailing List
Hi Stetnt4! did you follow this guide?
https://documentation.wazuh.com/current/user-manual/capabilities/osquery.html#configuration
https://documentation.wazuh.com/current/user-manual/capabilities/osquery.html#configuration
stetnt4
Nov 22, 2023, 9:36:43 AM11/22/23
to Wazuh | Mailing List
nothing is written as a result
вторник, 21 ноября 2023 г. в 15:15:47 UTC+3, Nahuel Figueroa:
Nahuel Figueroa
Nov 23, 2023, 3:33:30 PM11/23/23
to Wazuh | Mailing List
could you show me your <wodle name="osquery"> config in ossec.conf?
stetnt4
Nov 24, 2023, 2:29:35 AM11/24/23
to Wazuh | Mailing List
osquery does not work. Writes nothing to the log.Error reading config: Error parsing the config JSON
C:\Program Files\osquery>osqueryi --verbose
I1124 10:09:31.306763 3892 init.cpp:413] osquery initialized [version=5.10.2]
I1124 10:09:31.322425 3892 dispatcher.cpp:78] Adding new service: UsersService (00000249448AF560) to thread: 7356 (00000249448E7170) in process 7376
I1124 10:09:31.322425 3892 dispatcher.cpp:78] Adding new service: GroupsService (00000249448AE790) to thread: 1948 (00000249448477B0) in process 7376
I1124 10:09:31.322425 3892 extensions.cpp:453] Could not autoload extensions: Cannot open file for reading: \Program Files\osquery\extensions.load
I1124 10:09:31.337944 1948 groups_service.cpp:55] Groups cache initialized
I1124 10:09:31.337944 7356 users_service.cpp:149] Users cache initialized
I1124 10:09:31.337944 3892 dispatcher.cpp:78] Adding new service: ExtensionWatcher (00000249448175E0) to thread: 484 (00000249465D0800) in process 7376
I1124 10:09:31.353600 3892 dispatcher.cpp:78] Adding new service: ExtensionRunnerCore (00000249465F2E00) to thread: 7400 (00000249465D0580) in process 7376
I1124 10:09:31.353600 7400 interface.cpp:299] Extension manager service starting: \\.\pipe\shell.em
I1124 10:09:31.369115 3892 auto_constructed_tables.cpp:99] Removing stale ATC entries
E1124 10:09:31.369115 3892 config.cpp:879] updateSource failed to parse config, of source: \Program Files\osquery\osquery.conf and content: {
// Configure the daemon below:
"options": {
// The log directory stores info, warning, and errors.
// If the daemon uses the 'filesystem' logging retriever then the log_dir
// will also contain the query results.
"logger_path": "C:\Program Files\osquery\log",
// Set 'disable_logging' to true to prevent writing any info, warning, error
//logs. If a logging plugin is selected it will still write query results.
"disable_logging": "false",
// Splay the scheduled interval for queries.
// This is very helpful to prevent system performance impact when scheduling
// large numbers of queries that run a smaller or similar intervals.
"schedule_splay_percent": "10",
},
// Define a schedule of queries:
"schedule": {
// This is a simple example query that outputs basic system information.
"system_info": {
// The exact query to run.
"query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;",
// The interval in seconds to run this query, not an exact interval.
"interval": 90
}
},
// Decorators are normal queries that append data to every query.
"decorators": {
"load": [
"SELECT uuid AS host_uuid FROM system_info;",
"SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
]
},
// Add default osquery packs or install your own.
//
// There are several 'default' packs installed via
// packages and/or Homebrew.
//
// Linux: /opt/osquery/share/osquery/packs
// OS X: /var/osquery/packs
// Homebrew: /usr/local/share/osquery/packs
// make install: {PREFIX}/share/osquery/packs
//
"packs": {
// "osquery-monitoring": "/opt/osquery/share/osquery/packs/osquery-monitoring.conf",
// "incident-response": "/opt/osquery/share/osquery/packs/incident-response.conf",
// "it-compliance": "/opt/osquery/share/osquery/packs/it-compliance.conf",
// "osx-attacks": "/var/osquery/packs/osx-attacks.conf",
// "vuln-management": "/opt/osquery/share/osquery/packs/vuln-management.conf",
// "hardware-monitoring": "/opt/osquery/share/osquery/packs/hardware-monitoring.conf",
// "ossec-rootkit": "/opt/osquery/share/osquery/packs/ossec-rootkit.conf",
// "windows-hardening": "C:\\Program Files\\osquery\\packs\\windows-hardening.conf",
// "windows-attacks": "C:\\Program Files\\osquery\\packs\\windows-attacks.conf"
},
// Provides feature vectors for osquery to leverage in simple statistical
// analysis of results data.
//
// Currently this configuration is only used by Windows in the Powershell
// Events table, wherein character_frequencies is a list of doubles
// representing the aggregate occurrence of character values in Powershell
// Scripts. A default configuration is provided which was adapted from
// Lee Holmes cobbr project:
// https://gist.github.com/cobbr/acbe5cc7a186726d4e309070187beee6
//
"feature_vectors": {
"character_frequencies": [
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.00045, 0.01798,
0.0, 0.03111, 0.00063, 0.00027, 0.0, 0.01336, 0.0133,
0.00128, 0.0027, 0.00655, 0.01932, 0.01917, 0.00432, 0.0045,
0.00316, 0.00245, 0.00133, 0.001029, 0.00114, 0.000869, 0.00067,
0.000759, 0.00061, 0.00483, 0.0023, 0.00185, 0.01342, 0.00196,
0.00035, 0.00092, 0.027875, 0.007465, 0.016265, 0.013995, 0.0490895,
0.00848, 0.00771, 0.00737, 0.025615, 0.001725, 0.002265, 0.017875,
0.016005, 0.02533, 0.025295, 0.014375, 0.00109, 0.02732, 0.02658,
0.037355, 0.011575, 0.00451, 0.005865, 0.003255, 0.005965, 0.00077,
0.00621, 0.00222, 0.0062, 0.0, 0.00538, 0.00122, 0.027875,
0.007465, 0.016265, 0.013995, 0.0490895, 0.00848, 0.00771, 0.00737,
0.025615, 0.001725, 0.002265, 0.017875, 0.016005, 0.02533, 0.025295,
0.014375, 0.00109, 0.02732, 0.02658, 0.037355, 0.011575, 0.00451,
0.005865, 0.003255, 0.005965, 0.00077, 0.00771, 0.002379, 0.00766,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0, 0.0, 0.0, 0.0, 0.0,
0.0, 0.0, 0.0
]
}
}
I1124 10:09:31.665886 3892 init.cpp:762] Error reading config: Error parsing the config JSON
I1124 10:09:31.665886 3892 loader.cpp:45] No experiments selected
Using a [1mvirtual database [0m. Need help, type '.help'четверг, 23 ноября 2023 г. в 23:33:30 UTC+3, Nahuel Figueroa:
Nahuel Figueroa
Nov 29, 2023, 7:48:44 AM11/29/23
to Wazuh | Mailing List
Hi ttnt4! Let me ask my colleagues for more information. I'll keep you informed
stetnt4
Dec 1, 2023, 4:16:39 AM12/1/23
to Wazuh | Mailing List
Hello! I figured out why the log was not written, but now the packages C:\Program Files\osquery\packs are not processed, I made an attack according to the rule, but it did not appear in the log
среда, 29 ноября 2023 г. в 15:48:44 UTC+3, Nahuel Figueroa:
Nahuel Figueroa
Dec 3, 2023, 9:42:50 PM12/3/23
to Wazuh | Mailing List
hello stetnt4! I'm glad! Could you tell me what was the cause? perhaps information about this new problem. I also ask you what attack you performed and what rule you want to try.
Reply all
Reply to author
Forward
0 new messages