headmin edited this page Jan 20, 2018 · 27 revisions



You're impatient? You want to try it now before reading the docs? Check Docker for the quickest path to get you started.

What is Zentral?

Zentral is a open source Framework and server solution to gather, process, and monitor system events and link them to an inventory.

Zentral is a centralized service to manage configurations for osquery's powerful endpoint inventory and security features. Zentral also support Google Santa in a similar way. A build in event tracking, notification and time series event processing will complement these open source technologies.

Zentral's centralized orchestration of osquery and Santa will empower administrators by having a broader source of information and knowledge about their IT infrastructure, to identify and react to changes on macOS / OS X and Linux clients.

Zentral consolidate event information with inventory data aggregated from client management suites, e.g. JamfPro (JAMF Casper Suite), Munki, Sal, and FileWave. Zentral is a unified monitoring solution to enhance stability and security. All details and events stored in a full text search engine. Zentral can connect several inventory sources in parallel.

Zentral will fit many kinds of public and private organizations which are either already utilizing  or allow those that are wanting to utilize the Mac platform. It is ready for use in enterprise environments and is tailored towards #macadmins that want to enhance the tools, they already know, with a dedicated open source monitoring solution for better incident and event-based management.

It is operated in production by Managed Service Providers (MSPs) as well as small/medium sized organizations. Zentral has become a solution to unify event monitoring and notifcation on critical events and incidents as a great add on to strengthen productivity, stability, and security for the Mac platform.

Zentral is a open-source project initiated by Apfelwerk in Summer/Fall 2015.


Zentral is a new kind of tool. It will initially help #macadmins as an answer for the question:

How can I run a TLS server for osquery?

We provide a central TLS server for osquery configurations and we add on the concept of probes with zentral/osquery - multiple osquery configurations can be combined with multiple actions and notifications. The same apply for Google Santa, we can centraly distribute binary black/whitelist policies based on signing certificates and sha265 hashes for macOS / OS X. We already integrate with JamfPro (formerly know as JAMF JSS / Casper Suite), Watchman Monitoring, Munki, Sal API, and latest addition of FileWave for inventory. We support Slack, SMS, email, ticketing systems like Zendesk, and push notifications - last but not least we install two open source time based visualisation tools along with Zentral: Kibana 6 and Prometheus. The data received by Zentral can be searched, processed and visualised in these tools.

Zentral's main features are:

  • Gateway to connect a full stack of open source software
  • Provide multiple configurations for osquery via a pull model over HTTPS
  • Combine osquery or Santa results with flexible notifications and configurable actions
  • Metrics stored into in a full text search engine for time based processing
  • Connects with existent inventory, for macOS / OS X clients managed with Munki, the Sal Munki dashboard, JamfPro (formerly known as JAMF CasperSuite) or FileWave.

Supported Actions/Notifications:

  • Slack (notify into specific channels)
  • Zendesk (ticket creation, with tags, additionally we can track back Zendesk ticket events into ElasticSearch)
  • FreshDesk (ticket creation, with tags)
  • GitHub (create issues/tickets, with tags)
  • Email (send email to groups/individuals)
  • Push notifications (via PushoverAPI to iOS, Android, etc.)
  • JSS API (change group membership)
  • JSS WebHooks (available in JSS 9.9x)
  • other Webhooks supported

Specific features

  • Distribute osquery configurations

  • Distribute osquery ad-hoc via distributed queries
  • Distribute Santa configurations

  • Trigger notifications for osquery results
  • Trigger notifications for Google Santa policies
  • Trigger notifications for inventory changes
  • Trigger actions using custom commands received from ticketing system API (Zendesk API)
  • Trigger actions using TeamChat, Email, Push Notifications, SMS
  • Store all events in ElasticSearch

  • Integrate with Kibana5 + Prometheus

  • Integrate with JamfPro Inventory / JSS-API
  • Integrate with JamfPro JSS-Webhooks
  • Integrate with FileWave Inventory
  • Integrate with Watchman Monitoring
  • Munki inventory (postflight)
  • Munki inventory support from Sal incl. Groups, Business Units
  • Tags for smart grouping and automation
  • Probe-feeds import from JSON
  • Probe sharing as secret gists (on Github)
  • Setup/autoupdate TLS/SSL from Let's Encrypt
  • User based login / SAML2 option available


Zentral follows a modular approach and consists of multiple components. At it's core it is the intelligence to provide filtering and is a processing framework to interface with other tools. A best breed of open source tools is deployed along with Zentral.Core into a operational state when you deploy and run Zentral.

  • RabbitMQ used for event queues.
  • PostgreSQL persistent database for inventory and metadata.
  • ElasticSearch, full-text search database for all event data
  • Kibana5, real-time analytics and visualization platform for events
  • Prometheus, monitoring system with a time series database
  • Nginx, high performance web server

Note: First deploy option is Docker based docker-compose we currently use in production, for quick test and evaluation deployment we also provide a AWS based AMI 'Zentral all in one' with build in Let's Encrypt support to create required TLS/SSL certs - please see the short 5min video tutorial to get started. For evaluation we've added a Vagrant based deploy option as well.


Zentral is a new kind of tool. It is build in Python and runs on Django Web 1.10 framework.

These diagram illustrates the some architecture areas of Zentral and some of it's ecosystem components:

Zentral is build with a modular approach - we will build other modules over time. The modular approach enables to expand, scale, load balance or even replace functional elements with similar tools where needed.


We provide full source code which include our docker-composed based option to deploy Zentral. New addition is a Ansible build, Packer created Amazon AWS and GoogleCloud Services 'Zentral all in one' image (notes: t2.medium recommended, no ELB setup) - we provide this solution after receiving requests for quick evaluation, to provide a simple to get started test base for osquery, Google Santa for macadmins.

Code Structure

Zentral is build in pure Python and is running in the Django Web Framework. Latest code restructure enables us to run osquery,santa and inventory as Django Apps.


Zentral is currently under development, and code is ready for contribution. Inventory can be taken from a JamfPro (JAMF CasperSuite) via API, clients using Munki for based macOS management will ship inventory data directly from munki (we provide a enrollment package for Munki), alternatively we support Sal as an inventory source for clients using Munki. We support Watchman Monitoring as inventory source as well. Current notifications are Slack, email, ticketing systems (Zendesk, FreshDesk, GitHub), push notifications and JSS API calls. We recently added FileWave as inventory and considering further notifications and sources for inventory. Visualization is Kibana5 and Prometheus, the provided Zentral deployment as well as AWS / Google Cloud based images will run both tools along with Zentral.

Zentral is currently used stable in production in a medium sized environment with about 1000 mac clients and 45 linux servers.

Note: We currently run a series of "Introduction to Zentral" workshops at local Mac Admin Meetups over Europe, next date is Jan 20 2017 in Helsinki.

We will next present Zentral at the macad.uk conference in Feb 2017 in London.

When does Zentral fit?

If you're an small to medium sized IT team or Managed Service Provider (MSP), responsible for a fleet of mac clients and/or linux clients/servers. If you'd eager to combine the power of osquery, existing inventory, make use of time based event metrics over your fleet of clients, extend your team and tools with a new breed of flexible alerting and unified monitoring options.

Zentral is ideal as a starting point to integrate osquery with solutions you have already in place, start to extend and build up with the modular structure of Zentral.

Zentral is the one of the very few TLS based server for Google Santa

When does Zentral may not fit?

If you're a large enterprise, have a dedicated budget and resources for big data analytics (Hive, Splunk), and already use full Chef or Puppet managed clients, you may have other solutions in place already.