OSQuery : スケジュール監視する2016/10/16 |
|
スケジュールの設定をしてデーモンプログラムを起動することで、サーバーの状態を定期的にログに出力して監視することができます。
|
|
| [1] | 設定ファイルに必要な設定を記述してサービスを起動します。 |
|
[root@dlp ~]#
vi /etc/osquery/osquery.conf # 新規作成
{
"options": {
// 構成設定をどこから参照するかを定義 (filesystem はデフォルト)
"config_plugin": "filesystem",
// ログの出力先を定義 (filesystem はデフォルト)
"logger_plugin": "filesystem",
// ログ出力先のPATHを指定
"logger_path": "/var/log/osquery",
// デーモンの PID ファイル
"pidfile": "/var/osquery/osquery.pidfile",
// 同時実行クエリーのスレッド数
"worker_threads": "2",
// スケジュールされたクエリーの情報を収集
// schedule に「select * from osquery_schedule」を追加することでログ出力可
"enable_monitor": "true"
},
"schedule": {
// 例として CPU Time を 300秒毎に取得
"cpu_time": {
"query": "SELECT * FROM cpu_time;",
"interval": 300
},
// 例として resolv.conf 設定を一時間毎に取得
"dns_resolvers": {
"query": "SELECT * FROM dns_resolvers;",
"interval": 3600
}
},
"packs": {
// 他の設定ファイルをインクルード可
"hardware-monitoring": "/usr/share/osquery/packs/hardware-monitoring.conf"
}
}
systemctl start osqueryd [root@dlp ~]# systemctl enable osqueryd
|
| [2] | 設定した interval に従って設定した出力先に結果が出力されます。ただし、前回取得時の結果と差異がある場合のみ、続けて出力されます。 上記の例の dns_resolvers の設定のように、内容が頻繁に変わらないものについては、初回にロギングされて以降は、内容に変更があるまでログ出力はされません。 |
|
[root@dlp ~]# cat /var/log/osquery/osqueryd.results.log
{"name":"system_info","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:37:35 2016 UTC","unixTime":"1...
{"name":"system_info","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:37:35 2016 UTC","unixTime":"1...
{"name":"system_info","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:37:35 2016 UTC","unixTime":"1...
{"name":"system_info","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:37:35 2016 UTC","unixTime":"1...
{"name":"system_info","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:37:35 2016 UTC","unixTime":"1...
{"name":"system_info","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:37:35 2016 UTC","unixTime":"1...
{"name":"system_info","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:37:35 2016 UTC","unixTime":"1...
{"name":"system_info","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:37:35 2016 UTC","unixTime":"1...
{"name":"dns_resolvers","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:38:00 2016 UTC","unixTime":...
{"name":"dns_resolvers","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:38:00 2016 UTC","unixTime":...
{"name":"system_info","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:38:30 2016 UTC","unixTime":"1...
{"name":"system_info","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:38:30 2016 UTC","unixTime":"1...
{"name":"system_info","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:38:30 2016 UTC","unixTime":"1...
{"name":"system_info","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:38:30 2016 UTC","unixTime":"1...
{"name":"system_info","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:38:30 2016 UTC","unixTime":"1...
{"name":"system_info","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:38:30 2016 UTC","unixTime":"1...
{"name":"system_info","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:38:30 2016 UTC","unixTime":"1...
{"name":"system_info","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:38:30 2016 UTC","unixTime":"1...
{"name":"system_info","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:39:25 2016 UTC","unixTime":"1...
{"name":"system_info","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:39:25 2016 UTC","unixTime":"1...
|
| Sponsored Link |