Kolide osquery
- #Kolide osquery install#
- #Kolide osquery update#
- #Kolide osquery manual#
- #Kolide osquery upgrade#
- #Kolide osquery mac#
#Kolide osquery manual#
If you are using TheHELK out of the box, you will not need to configure the ssl.certificate_authorities, however, if you followed the manual ELK setup and/or would like to use an SSL cert to encrypt the log traffic, you will need to comment this line and add the cert that Logstash is using.
#Kolide osquery update#
On line: 31, update localhost with your Logstash server IP. In the filebeat config file paste the following: If you are running osquery on the same machine as your Elastic Stack, you don’t need FileBeat, you can simply use the Logstash file plugin to pull the logs from the log file and push them to Elasticsearch. We need to use FileBeat to move our osquery logs over to our Elastic Stack. If you go back to you Kolide app, you should see your new host appear! Now, back on the host that you are installing OSQuery, replace with your secret that was provided from Fleet and on line 11, replace localhost with the server IP running Kolide Fleet. Instead of using scp or the likes, you can simply open the certificate file with a text editor and copy/paste into you Linux terminal. Select Fetch Kolide Certificate and move certificate to your Linux box at /var/osquery/server.pem.
#Kolide osquery install#
Now on your Linux host we need to install OSQuery, like I mentioned in the beginning of the post, you can install this on the same machine that’s running Kolide, your Elastic stack or a standalone box.īack on your new Kolide instance, select ‘Add New Hosts’ and copy the enroll Secret. Repeat these steps for the following queries: etc_hosts, iptables, listening_ports, mounts, open_files, and shell_history.Īll of these queries can be run on demand as well. In a large environment, it might make sense to only query a portion of the hosts every time instead of all of them. The shard is the percent of hosts that this Osquery pack will query. The logging set to Snapshot will simply return all the results, differential would return the changes since the last query, and this is good for monitoring for malicious changes. Set the interval to 60, the Platform to Linux, the minimum version to All and the Logging to Snapshot. Click that drop down and choose ‘crontab’. Now on the right hand side of the page, you should see Select Query. Under Select Pack Targets, choose All Hosts. Name the pack ‘linux_collection’ and add a description of you’d like. Go to Packs –> Manage Packs –> Create New Pack
The importer tool is a bit buggy so for the purpose of this post, we will just configure the queries manually.
We need to create some queries now, you can do this with the GUI, or you can run the importer tool found here. Now, if you go to your local browser, you should be redirected to you can create your first Fleet user account. Or if you have time, use the proper procedure to run Redis although totally not necessary for the purpose of this guide! Use the password: ‘kolide’ (Or whatever you want, just adjust accordingly as you go) I basically customized their install guide to be more fitting for our purpose. You can use Kolides official documentation for most of this if you’d like.
#Kolide osquery upgrade#
This tutorial uses a separate host to run Kolide Fleet so I will let you know what you might need to change to make it work on the same server.īefore we begin, make sure to run: apt update & apt upgrade Kolide Setup: An Ubuntu 16.04 Server to run Kolide Fleet, you can run this on the same box as your Elastic stack.At least one Linux host to run your osquery daemon, you can also run it on the same box as you are running Kolide or your Elastic stack.If you like to do things manually so you understand how things are working, Roberto Rodriguez has you covered, head over to his site and follow his tutorials (They are top-notch). For this post, I am using HELK so it should be all you need. This has most likely never been easier, simply check out Roberto Rodriguez’s HELK (Hunting ELK) and run the setup script. This post will assume a couple of things: Fleet allows us query multiple hosts on demand as well as create query packs, build schedules and manage the hosts in our environment.Įlastic Stack – Elasticsearch, Logstash and Kibana are tools that allow for the collection, normalizing and visualization of logs. Kolide Fleet – A flexible control server for osquery fleets. It was built by Facebook and is built with performance in mind. Osquery – Is a tool that allows us to query devices as if they are databases. Osquery is even platform agnostic so we can deploy it across all endpoints, regardless of host OS. With the combination of these tools, we can query all of our hosts on demand for IOC’s, schedule queries to run on an automated basis and feed all of these results into our SIEM.
#Kolide osquery mac#
Threat hunting on Linux and Mac has probably never been easier.