Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Filebeat: osquery module #5971

Merged
merged 5 commits into from
Jan 10, 2018
Merged

Filebeat: osquery module #5971

merged 5 commits into from
Jan 10, 2018

Conversation

tsg
Copy link
Contributor

@tsg tsg commented Jan 2, 2018

This adds a Filebeat module for centralising osquery logs.

screencapture-localhost-5601-vjo-app-kibana-1514472334644

osqueryd writes the results in JSON, which makes it fairly easy to ingest to the Elastic stack. The module uses the JSON decoding support in Filebeat, and then renames the fields to match the Beats naming conventions (most fields prefixed with osquery.result). There is an option (use_namespace: false) to leave the fields as they were in the original JSON, but changing that settings makes the sample dashboards unusable.

Another issue is that the osquery JSON format represents all data as strings (the numbers are quoted). This is both bad and good. It's bad because number aggregations don't work on what should be numbers, but it's good because it means there can't be any type conflicts. We could, potentially, do the type conversions ourselves based on the osquery schema, but that seems risky with regards to the schema changes. The osquery JSON output should also be fixed once osquery switches to RapidJSON, which seems to be in progress.

@tsg tsg added Filebeat Filebeat in progress Pull request is currently in progress. module review labels Jan 2, 2018
- name: calendar_time
tupe: keyword
description: >
String representation of the collection time, as formatted by osquery.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interesting that this is called calendar_time. I like the description with collection time. I wonder if we should have a common field in the future for the collection_time (or a different name).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In osquery, they have unixTime and calendarTime which are different representations of the same moment. These get translated to unix_time and calendar_time by the module, and @timestamp is computed from unix_time. So there's quite a bit of redundancy, we could consider dropping the calendar_time by default.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, my assumption was that the calendar_time is the time when the entry was actually read and unix_time when it was created. Like for a log line where we have @timestamp potentially from the log line and beat.read_time. Perhaps beat.read_time should be event.collection_timestamp?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added read_time (btw, it's not prefixed by beat) as being the read time when filebeat reads the log lines.

- name: unix_time
type: long
description: >
Unix timestamp of the event. Used for computing the `@timestamp` column.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this in seconds since epoch?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I'll update the docs for clarity.

@tsg tsg removed the in progress Pull request is currently in progress. label Jan 9, 2018
@tsg
Copy link
Contributor Author

tsg commented Jan 9, 2018

Added another dashboard, addressed comments, and rebased to master. If green, this is good for merging from my POV.

tsg added 4 commits January 10, 2018 09:54
This adds a Filebeat module for centralising osquery logs.

osqueryd writes the results in JSON, which makes it fairly easy to ingest to the Elastic stack. The module uses the JSON decoding support in Filebeat, and then renames the fields to match the Beats naming conventions (most fields prefixed with osquery.result). There is an option (use_namespace: false) to leave the fields as they were in the original JSON, but changing that settings makes the sample dashboards unusable.

This module comes with two dashboards, one for the compliance pack in osquery, the other for the ossec-rootkit pack.
@kvch kvch merged commit 94ad82c into elastic:master Jan 10, 2018
@@ -45,7 +45,7 @@
{
"rename": {
"field": "@timestamp",
"target_field": "beat.read_time"
"target_field": "read_timestamp"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tsg This seems to be a breaking change? Also saw there is no CHANGELOG for this PR.

@etursunbaev
Copy link

etursunbaev commented Feb 20, 2018

Hi, all!
Cannot find information how to add osquery module to filebeat?
In /usr/share/filebeat there is no osquery module

/usr/share/filebeat/module# ls -l
total 20
drwxr-xr-x 4 root root 4096 Feb 19 17:51 apache2
drwxr-xr-x 3 root root 4096 Feb 19 17:51 auditd
drwxr-xr-x 4 root root 4096 Feb 19 17:51 mysql
drwxr-xr-x 4 root root 4096 Feb 19 17:51 nginx
drwxr-xr-x 4 root root 4096 Feb 19 17:51 system

@tsg ^^^

@jjqq2013
Copy link

@etursunbaev your filebeat version seems old.

To use osquery module in older version, you can reference this:
94ad82c#commitcomment-27831592

https://github.com/jjqq2013/misc/tree/master/elasticsearch5.4.0

@jjqq2013
Copy link

Hi, all, do you know what will be the document type of osquery module?
When I use output to kafka, I need set the topic

topic: '%{[fields.log_topic]}'

What is the value when use osquery module?

@jjqq2013
Copy link

Oh, no problem. I found it: I need define fields. log_topic in prospector.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants