Osquery uses basic SQL commands to leverage a relational data-model to describe a device.
Security Onion includes Kolide Fleet to manage your osquery deployment. For more information, please see the Fleet section.
To deploy an osquery agent to an endpoint, go to the Security Onion Console (SOC) Downloads page and download the proper osquery agent for the operating system of that endpoint. Use so-allow to allow the osquery agent to connect to port
8090 on the manager. Then install the osquery agent and it should check into the manager and start showing up in Fleet.
- To regenerate packages, run the following on the Manager (it will take up to 5 minutes to rebuild the packages):
sudo salt-call state.apply fleet.event_gen-packages
Hunt or Kibana¶
All osquery logs can be found by using the following query:
Kibana Dashboard: Host Data –> Modules/Osquery¶
This dashboard gives an overview of the osquery logs in the system. As long as the default osquery configuration is used, this dashboard should work out of the box regardless of how you schedule or name your queries and packs.
We sponsored the development of Community ID support for osquery: