osquery 简介
- osquery是一个sql驱动操作系统检测和分析工具。osquery支持像sql语句一样查询系统的各项指标,可以用于OSX和Linux操作系统。它使得底层操作系统分析和监控性能更加直观
- 项目主页:http://osquery.io/
- 代码托管地址:https://github.com/facebook/osquer
osquery 安装
[root@linuxprobe~]# yum -y install https://osquery-packages.s3.amazonaws.com/centos7/noarch/osquery-s3-centos7-repo-1-0.0.noarch.rpm
[root@linuxprobe~]# yum -y install osquery
osquery 使用文档: https://osquery.io/docs/tables/
# 使用例子
# run osquery shell
[root@linuxprobe~]# osqueryi
osquery - being built,with love,at Facebook ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Using a virtual database. Need help,type '.help'
osquery>
# show all column of tables for OS version
osquery> select * from os_version; +--------------+----------+-------+-------+-------+-------+----------+---------------+----------+
| name | version | major | minor | patch | build | platform | platform_like | codename | +--------------+----------+-------+-------+-------+-------+----------+---------------+----------+
| CentOS Linux | 7 (Core) | 7 | | | | centos | rhel fedora | | +--------------+----------+-------+-------+-------+-------+----------+---------------+----------+
# show some column of tables for System info
osquery> select hostname,cpu_brand,hardware_vendor,hardware_model from system_info; +----------------+-----------------------------------------+-----------------+-------------------------+
| hostname | cpu_brand | hardware_vendor | hardware_model | +----------------+-----------------------------------------+-----------------+-------------------------+
| linuxprobe.org | Intel(R) Core(TM) i5-4590 cpu @ 3.30GHz | VMware,Inc. | VMware Virtual Platform | +----------------+-----------------------------------------+-----------------+-------------------------+
# show some column of tables and also specify over 1000 of UID for User info
osquery> select uid,gid,username,shell from users where uid >= 1000; +-------+-------+-----------+---------------+
| uid | gid | username | shell | +-------+-------+-----------+---------------+
| 1000 | 1000 | shaon | /bin/bash |
| 1001 | 1001 | wang | /bin/bash |
| 65534 | 65534 | nfsnobody | /sbin/nologin | +-------+-------+-----------+---------------+
# show all column of tables for cpu Time
osquery> select * from cpu_time; +------+------+------+--------+-------+--------+-----+---------+-------+-------+------------+
| core | user | nice | system | idle | iowait | irq | softirq | steal | guest | guest_nice | +------+------+------+--------+-------+--------+-----+---------+-------+-------+------------+
| 0 | 912 | 0 | 3679 | 54015 | 2149 | 0 | 157 | 0 | 0 | 0 | +------+------+------+--------+-------+--------+-----+---------+-------+-------+------------+
# to quit shell,push Ctrl+D
osquery>
定时监控设置
- 创建osquery配置文件
[root@linuxprobe~]# vi /etc/osquery/osquery.conf
# create new
{
"options": {
// select the osquery config plugin (filesystem is default)
"config_plugin": "filesystem",// select the osquery logging plugin (filesystem is default)
"logger_plugin": "filesystem",// the PATH of log direcroty
"logger_path": "/var/log/osquery",// PID file of the daemon
"pidfile": "/var/osquery/osquery.pidfile",// the number of threads for concurrent query
"worker_threads": "2",// enable schedule profiling
// if adding a query "select * from osquery_schedule" in schedule section,
// it's possible to record the performances
"enable_monitor": "true"
},"schedule": {
// for example,get cpu Time per 300 seconds
"cpu_time": {
"query": "SELECT * FROM cpu_time;","interval": 300
},// for example,get settings of resolv.conf per an hour
"dns_resolvers": {
"query": "SELECT * FROM dns_resolvers;","interval": 3600
}
},"packs": {
// possible to include other configration files
"hardware-monitoring": "/usr/share/osquery/packs/hardware-monitoring.conf"
}
}
- 启动osquery
[root@linuxprobe ~]# systemctl start osqueryd
[root@linuxprobe ~]# systemctl enable osqueryd
Created symlink from /etc/systemd/system/multi-user.target.wants/osqueryd.service to /usr/lib/systemd/system/osqueryd.service.
- 查看osquery日志
[root@linuxprobe osquery]# less /var/log/osquery/osqueryd.results.log
