1

Is it possible to break out the results log for osquery? Currently, every query is being lumped into osqueryd.results.log but I'd like to break out logging based on scheduled events. How can I achieve this?

Example:

 {
  "options": {
    "config_plugin": "filesystem",
    "logger_plugin": "filesystem",
    "host_identifier": "hostname",
    "utc": "true"
  },
  "schedule": {
    "crontab": {
      "query": "SELECT * FROM crontab;",
      "interval": 100000,
      +"logger_path": "/var/log/osquery/crontab.log"

    },
    "file_events": {
      "query": "SELECT * FROM file_events;",
      "removed": false,
      "interval": 10,
      +"logger_path": "/var/log/osquery/file_events.log"
    }
  },
  "file_paths": {
    "homes": [
      "/home/%/.ssh/%%"
    ],
    "etc": [
      "/etc/%%"
    ]
  },
  "exclude_paths": {
    "resolv.conf.*": [
      "/etc/resolv.conf.%"
    ]
  },
  "decorators": {
    "load": [
      "SELECT uuid AS host_uuid FROM system_info;",
      "SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
    ]
  }
}
rcgelber
  • 11
  • 1

1 Answers1

1

This functionality does not exist in osquery.

You have a couple of options:

1) Are the logs being fed into a logging pipeline? You could split them up within that pipeline.

2) Open a feature request with the osquery project. No guarantees on what will be implemented, but that is a good way to open a discussion.

Zach
  • 1,263
  • 11
  • 25
  • 1
    Thanks for the reply. I think I'll just have to breakout the osqueryd.results.log file within logstash. On top of that, I'll definitely request this feature. – rcgelber Feb 21 '20 at 20:30