1

是否可以打破 osquery 的结果日志?目前,每个查询都集中在 osqueryd.results.log 中,但我想根据预定事件分解日志记录。我怎样才能做到这一点?

例子:

 {
  "options": {
    "config_plugin": "filesystem",
    "logger_plugin": "filesystem",
    "host_identifier": "hostname",
    "utc": "true"
  },
  "schedule": {
    "crontab": {
      "query": "SELECT * FROM crontab;",
      "interval": 100000,
      +"logger_path": "/var/log/osquery/crontab.log"

    },
    "file_events": {
      "query": "SELECT * FROM file_events;",
      "removed": false,
      "interval": 10,
      +"logger_path": "/var/log/osquery/file_events.log"
    }
  },
  "file_paths": {
    "homes": [
      "/home/%/.ssh/%%"
    ],
    "etc": [
      "/etc/%%"
    ]
  },
  "exclude_paths": {
    "resolv.conf.*": [
      "/etc/resolv.conf.%"
    ]
  },
  "decorators": {
    "load": [
      "SELECT uuid AS host_uuid FROM system_info;",
      "SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
    ]
  }
}
4

1 回答 1

1

osquery 中不存在此功能。

你有几个选择:

1) 日志是否被送入日志管道?您可以在该管道中拆分它们。

2)使用 osquery 项目打开功能请求。无法保证将实施什么,但这是展开讨论的好方法。

于 2020-02-21T02:23:16.953 回答