Comments on How to Setup File Integrity Monitoring (FIM) using osquery on Linux
Osquery is an open source operating system instrumentation, monitoring, and analytics software. In this tutorial, we will show you how to setup File Integrity Monitoring (FIM) using osquery. We will be using the Linux operating systems Ubuntu 18.04 and CentOS 7.
3 Comment(s)
Comments
I am not seeing the entries when I query them via osqueryi. I do see them in osqueryd.results.log
osquery>
osquery> select * from file_events;
osquery>
osquery> select count(*) from file_events;
+----------+
| count(*) |
+----------+
| 0 |
+----------+
osquery>
root@ubuntu:/var/log/osquery# grep -rin hakase-labs.md osqueryd.results.log
124:{"name":"pack_fim_file_events","hostIdentifier":"ubuntu","calendarTime":"Fri Sep 7 20:35:36 2018 UTC","unixTime":1536352536,"epoch":0,"counter":0,"decorations":{"host_uuid":"C533AB2D-BA0F-4E71-8525-9A47FE732060","username":"abrand"},"columns":{"action":"CREATED","atime":"1536352464","category":"home","ctime":"1536352464","gid":"1000","hashed":"1","inode":"261890","md5":"d41d8cd98f00b204e9800998ecf8427e","mode":"0664","mtime":"1536352464","sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","size":"0","target_path":"/home/abrand/hakase-labs.md","time":"1536352464","transaction_id":"0","uid":"1000"},"action":"added"}
125:{"name":"pack_fim_file_events","hostIdentifier":"ubuntu","calendarTime":"Fri Sep 7 20:35:36 2018 UTC","unixTime":1536352536,"epoch":0,"counter":0,"decorations":{"host_uuid":"C533AB2D-BA0F-4E71-8525-9A47FE732060","username":"abrand"},"columns":{"action":"ATTRIBUTES_MODIFIED","atime":"1536352464","category":"home","ctime":"1536352464","gid":"1000","hashed":"0","inode":"261890","md5":"","mode":"0664","mtime":"1536352464","sha1":"","sha256":"","size":"0","target_path":"/home/abrand/hakase-labs.md","time":"1536352464","transaction_id":"0","uid":"1000"},"action":"added"}
126:{"name":"pack_fim_file_events","hostIdentifier":"ubuntu","calendarTime":"Fri Sep 7 20:35:36 2018 UTC","unixTime":1536352536,"epoch":0,"counter":0,"decorations":{"host_uuid":"C533AB2D-BA0F-4E71-8525-9A47FE732060","username":"abrand"},"columns":{"action":"UPDATED","atime":"1536352464","category":"home","ctime":"1536352464","gid":"1000","hashed":"1","inode":"261890","md5":"d41d8cd98f00b204e9800998ecf8427e","mode":"0664","mtime":"1536352464","sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","size":"0","target_path":"/home/abrand/hakase-labs.md","time":"1536352464","transaction_id":"0","uid":"1000"},"action":"added"}
334:{"name":"pack_fim_file_events","hostIdentifier":"ubuntu","calendarTime":"Fri Sep 7 20:45:20 2018 UTC","unixTime":1536353120,"epoch":0,"counter":0,"decorations":{"host_uuid":"C533AB2D-BA0F-4E71-8525-9A47FE732060","username":"reboot"},"columns":{"action":"DELETED","atime":"","category":"home","ctime":"","gid":"","hashed":"0","inode":"","md5":"","mode":"","mtime":"","sha1":"","sha256":"","size":"","target_path":"/home/abrand/hakase-labs.md","time":"1536353034","transaction_id":"0","uid":""},"action":"added"}
335:{"name":"pack_fim_file_events","hostIdentifier":"ubuntu","calendarTime":"Fri Sep 7 20:45:20 2018 UTC","unixTime":1536353120,"epoch":0,"counter":0,"decorations":{"host_uuid":"C533AB2D-BA0F-4E71-8525-9A47FE732060","username":"reboot"},"columns":{"action":"CREATED","atime":"1536353039","category":"home","ctime":"1536353039","gid":"1000","hashed":"1","inode":"261493","md5":"d41d8cd98f00b204e9800998ecf8427e","mode":"0664","mtime":"1536353039","sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","size":"0","target_path":"/home/abrand/hakase-labs.md","time":"1536353039","transaction_id":"0","uid":"1000"},"action":"added"}
336:{"name":"pack_fim_file_events","hostIdentifier":"ubuntu","calendarTime":"Fri Sep 7 20:45:20 2018 UTC","unixTime":1536353120,"epoch":0,"counter":0,"decorations":{"host_uuid":"C533AB2D-BA0F-4E71-8525-9A47FE732060","username":"reboot"},"columns":{"action":"ATTRIBUTES_MODIFIED","atime":"1536353039","category":"home","ctime":"1536353039","gid":"1000","hashed":"0","inode":"261493","md5":"","mode":"0664","mtime":"1536353039","sha1":"","sha256":"","size":"0","target_path":"/home/abrand/hakase-labs.md","time":"1536353039","transaction_id":"0","uid":"1000"},"action":"added"}
337:{"name":"pack_fim_file_events","hostIdentifier":"ubuntu","calendarTime":"Fri Sep 7 20:45:20 2018 UTC","unixTime":1536353120,"epoch":0,"counter":0,"decorations":{"host_uuid":"C533AB2D-BA0F-4E71-8525-9A47FE732060","username":"reboot"},"columns":{"action":"UPDATED","atime":"1536353039","category":"home","ctime":"1536353039","gid":"1000","hashed":"1","inode":"261493","md5":"d41d8cd98f00b204e9800998ecf8427e","mode":"0664","mtime":"1536353039","sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","size":"0","target_path":"/home/abrand/hakase-labs.md","time":"1536353039","transaction_id":"0","uid":"1000"},"action":"added"}
root@ubuntu:/var/log/osquery#
Nothing returned an error while setting it up and not seeing anything in error logs. Any ideas?
If you dont see any file events when you run queries through osqueryi it`s because you have to run osqueryi with config file like it was mentioned:
osqueryi --config-path /etc/osquery/osquery.conf
Hi I have the same issue with the config provided as option in the command:
sudo osqueryi --config-path /etc/osquery/osquery.conf
Also I get an error for the default configration above:
osqueryi --config-path /etc/osquery/osquery.conf --config_check
Cannot set unknown or invalid flag: log_result_events
Probably a Typo?