Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Best way to retrieve osquery query run results from external app? #575

Open
maiorfi opened this issue Dec 21, 2022 · 3 comments
Open

Best way to retrieve osquery query run results from external app? #575

maiorfi opened this issue Dec 21, 2022 · 3 comments

Comments

@maiorfi
Copy link

maiorfi commented Dec 21, 2022

Hi. What is the intended way to collect data related to osquery query runs shown in zentral web interface from an externa application? Are there any zentral API exposing such data?

Thanks.

@np5
Copy link
Member

np5 commented Dec 21, 2022

Hi. I have just added the documentation for the existing API endpoint that can be used to download the results of an Osquery run. There are still other undocumented endpoints, and we are planing some work on this part of the project at the beginning of January. Could you describe the workflow you have in mind so that we can evaluate if some of the required endpoints are missing?

@maiorfi
Copy link
Author

maiorfi commented Dec 22, 2022

Hi. We'd like to deploy osquery remote configuration to a bunch of hosts, schedule execution of a set of 5-10 queries recurring with different intervals (from a few seconds to 24 hours) while collecting run results via zentral api in order to detect deltas and/or potentially critic conditions in terms of availability or security.

@np5
Copy link
Member

np5 commented Dec 22, 2022

The scheduled queries produce events when osquery detects changes on a host or every time they run (snapshot mode). Those are automatically collected by Zentral and shipped to the configured event stores. You can also apply some routing to ship some of the query pack results only to some stores.

What are called "runs" in Zentral are the distributed or "on demand" queries. We do not turn the results into events, since they do not really align with them. Those are more "exploratory" tools. The API I pointed to is the one to retrieve the results for the "on-demand" queries, not the scheduled ones.

Zentral also can do a little bit more with the Osquery queries, when they are written to output a ztl_status column. Those can be run as compliance checks, and the status of each compliance check for each machine is recorded in the inventory. When a machine falls out of compliance, special events are emitted, and could be routed to slack for example. They can also be visualized via the exported prometheus metrics.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants