Configuration and parsing of osquery related data
osquery is a host-based monitoring tool developed and used by facebook. More details are available from:
Employing osquery in a scalable way can be done by using filebeat (https://www.elastic.co/products/beats/filebeat) to transport log entries directly to elastic search or via logstash for additional filtering and processing.
Filebeat is a lightweight forwarder and needs to be installed on each host running osquery. A sample configuration file is contained within the filebeat directory.
Logstash is highly configurable, a basic configuration specifying
- a beats input
- a simple filter
- an output to elastic search
is contained in the log stash directory.
An example osquery configuration that will work with Ubuntu based linux systems is contained in the osquery directory.