Wazuh osquery
183 views
Skip to first unread message
Reza
Dec 29, 2023, 3:27:00 AM12/29/23
to Wazuh | Mailing List
Hi
Is it possible to manage (create, delete,edit) queries remotely from wazuh wodle"osquery" like fleet or doorman?
Javier Bejar
Dec 29, 2023, 6:27:56 AM12/29/23
to Wazuh | Mailing List
Hi Reza,
You can define a configuration file with the queries and send it to the agents via centralized configuration.
For more information please check the osquery integration documentation.
Regards, Javier.
You can define a configuration file with the queries and send it to the agents via centralized configuration.
For more information please check the osquery integration documentation.
Regards, Javier.
Reza
Dec 29, 2023, 11:31:44 AM12/29/23
to Wazuh | Mailing List
Hi
I want define queries in wazuh manager server NOT in agents
I want to define queries in :
/etc/osquery/osquery.conf
Or
/path/to/custom_pack.conf
In filesystem of wauzh manager server
But for wodle osquery i should define queries in
etc/osquery/osquery.conf
Or
/path/to/custom_pack.conf
In filesystem of wazuh agent endpoint
<wodle name="osquery">
<disabled>no</disabled>
<run_daemon>yes</run_daemon>
<bin_path>/usr/bin</bin_path>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>no</add_labels>
<pack name="custom_pack">/path/to/custom_pack.conf</pack>
</wodle>
<disabled>no</disabled>
<run_daemon>yes</run_daemon>
<bin_path>/usr/bin</bin_path>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>no</add_labels>
<pack name="custom_pack">/path/to/custom_pack.conf</pack>
</wodle>
Paths like /etc/osquery/osquery.con in wodle are in agent that osquery is installed in it NOT in wazuh manager
If I am saying wrong, please tell me the correct configuration so that I can put the queries in the wazuh manager server
Javier Bejar در تاریخ جمعه ۲۹ دسامبر ۲۰۲۳ ساعت ۱۴:۵۷:۵۶ (UTC+3:30) نوشت:
Javier Bejar
Jan 3, 2024, 6:18:14 AM1/3/24
to Wazuh | Mailing List
Hi Reza,
Wazuh does not natively support central management of osquery queries from the Wazuh manager, similar to what tools like Fleet or Doorman offer. Each agent must have its own osquery configuration file. This means that any changes to osquery queries require updating the osquery configuration files on each agent.
Although you can use Wazuh’s centralized configuration feature to distribute osquery configuration files to agents. This method involves creating and maintaining the osquery configuration centrally on the Wazuh manager and then distributing it to the agents.
Regards, Javier
Wazuh does not natively support central management of osquery queries from the Wazuh manager, similar to what tools like Fleet or Doorman offer. Each agent must have its own osquery configuration file. This means that any changes to osquery queries require updating the osquery configuration files on each agent.
Although you can use Wazuh’s centralized configuration feature to distribute osquery configuration files to agents. This method involves creating and maintaining the osquery configuration centrally on the Wazuh manager and then distributing it to the agents.
Regards, Javier
Reply all
Reply to author
Forward
0 new messages