osquery
Installation and configuration of OSQuery:
Work order:
Install osquery on host
Create
/etc/osquery/osquery.conf
on hostActivate it in the modules
Prerequisites:
Client:
Allow osquery through firewall (Wasn't needed for this example but you might need it)
Wazuh:
Wazuh:Go to Wazuh > Settings > Modules and enable OSquery, then it will be under Threat Detection and Respone enable Osquery:
Installation osquery Client (web01):
Client Config:
Copy the following example configuration into /etc/osquery/osquery.conf
(creates a scheduled query to grab the systems hostname,cou,and memory every minute. Provides a good test to ensure the system is “up” as well shows when new port binding):
Wazuh Config:
Then you must enable the osquery module adding the following to the groups agents.conf
file in Wazuh (should restart the Wazuh agent on the host after saving.) Documentation
Output/Example:
If you go to Modules > Osquery > Events
you will see events begin to populate. For example, you could create a Python webserver with the command python3 -m http.server 8900
, and you will see osquery has logged a python3 process on port 8900.
NEVER RUN WAZUH ON THE SYSTEM THROUGH SYSTEMCTL, WAZUH CONTROLS IT!!!
Sources:
Last updated