

Lets create /etc/systemd/system/rviceĮxecStart=/usr/bin/fleet serve -config /your/config/kolide.yamlĪs well I edited rsyslog.d to send service logs to a stand alone file, /var/log/fleet/fleet-out.log dump them w/o sending to syslog, appending or created an rsyslog.d conf with the follow lines should ensure that: usr/bin/fleet serve -config /your/config/kolide.yamlīut I’d rather have it be controlled through systemd, launch automatically etc, so before we launch we can configure systemd I won’t get into all of Fleets options, but most are the above are self explanatory. Result_log_file: /var/log/osquery/result.log Status_log_file: /var/log/osquery/status.log mysql_address=:port \ -mysql_database=fleet -mysql_username=fleet \ -mysql_password='CiKv_Gzy9:>B]vJ-jifsm&' \ -redis_address=127.0.0.1:6379 \ -server_cert=/your/host/Certs/fleet.pem \ -server_key=/your/host/Certs/fleet.key \ -logging_json -auth_jwt_key $auth_jwt_keyīut fleet can also take a kolide.yaml config file, docs, so above becomes: This will prepare the db as needed, once this is done, you could serve fleet service via cli such as: mysql_password='$PSW' # or prompt for input mysql_database=fleet -mysql_username=fleet \ # or whatever was created usr/bin/fleet prepare db \ -mysql_address=:port \ So now we can prepare the fleet database via the binary we installed on the fleet host:

Mysql> select user,host from mysql.db where db='fleet' Grant all on fleet.* to all on fleet.* to privileges You can run this db local or on a remote db server thats up to you, for sake of illustration, lets say tou want to run it on a remote db server… $ sudo cp fleet/linux/fleet_linux_amd64 /usr/bin/fleet $ unzip fleet_latest.zip 'linux/*' -d fleet Get the latest binary, move it to /usr/bin as fleet If want to use a linux vm or otherwise, here is an example of an Ubuntu 16.04 setup process, after your initial vm setup.

If you want to use Docker, you can pull the latest Fleet docker image: NOTE: You can also just use the Quickstart method, and skip to Exploring Fleet… – fleet will log any findings Installing Fleet – queue and send queries to clients/servers Our pre-built packages make organization-wide deployment a piece of cake with the tools you already use today. Following our setup guide, you can have Kolide on your machine and reporting insights in less than two minutes flat. Kolide Cloud is the fastest way to get started with Osquery in your organization. Thats where Fleet by Kolide comes in… Kolide offers another product as a SaaS option, Kolide Cloud: So now we know just a little bit of what osquery can do, so how canwe automate that? Make that work for use en mass? The daemon also uses OS eventing APIs to record monitored file and directory changes, hardware events, network events, and more. The daemon aggregates query results over time and generates logs, which indicate state change according to each query. Osqueryd is the host monitoring daemon that allows you to schedule queries and record OS state changes. Use the shell to prototype queries and explore the current state of your operating system. It is completely standalone and does not communicate with a daemon and does not need to run as an administrator. Osqueryi is the osquery interactive query console/shell. WHERE (run_at_load = 1 AND keep_alive = 1)ĪND (program != '' OR program_arguments != '') SELECT name, program || program_arguments AS executable WHERE listening_ports.address = '0.0.0.0' įind every OS X LaunchDaemon that launches an executable and keeps it running: SELECT DISTINCT processes.name, listening_ports.port, processes.pidįROM listening_ports JOIN processes USING (pid) Get the process name, port, and PID, for processes listening on all interfaces: SELECT * FROM processes WHERE on_disk = 0 To best understand the expressiveness that is afforded to you by osquery, consider the following SQL queries:Ĭheck the processes that have a deleted executable: A variety of tables already exist and more are being written. SQL tables are implemented via a simple plugin and extensions API. With osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events or file hashes. This allows you to write SQL-based queries to explore operating system data. Osquery exposes an operating system as a high-performance relational database. – Graylog osquery What is osquery? ( abridged) There’s a lot of bias here, but again I wanted it to be similar to what I am already doing, and as much as possible fit into infrastructure I have already running.
