CentOS 7 安装osquery监控系统
发布时间:2018-11-22 09:27 来源: 浏览人数:2067 次
[root@linuxprobe~]# yum -y install https://osquery-packages.s3.amazonaws.com/centos7/noarch/osquery-s3-centos7-repo-1-0.0.noarch.rpm [root@linuxprobe~]# yum -y install osquery
osquery 使用文档: https://osquery.io/docs/tables/
# 使用例子 # run osquery shell [root@linuxprobe~]# osqueryi osquery - being built, with love, at Facebook ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Using a virtual database. Need help, type '.help' osquery> # show all column of tables for OS version osquery> select * from os_version; +--------------+----------+-------+-------+-------+-------+----------+---------------+----------+ | name | version | major | minor | patch | build | platform | platform_like | codename | +--------------+----------+-------+-------+-------+-------+----------+---------------+----------+ | CentOS Linux | 7 (Core) | 7 | | | | centos | rhel fedora | | +--------------+----------+-------+-------+-------+-------+----------+---------------+----------+ # show some column of tables for System info osquery> select hostname, cpu_brand, hardware_vendor, hardware_model from system_info; +----------------+-----------------------------------------+-----------------+-------------------------+ | hostname | cpu_brand | hardware_vendor | hardware_model | +----------------+-----------------------------------------+-----------------+-------------------------+ | linuxprobe.org | Intel(R) Core(TM) i5-4590 CPU @ 3.30GHz | VMware, Inc. | VMware Virtual Platform | +----------------+-----------------------------------------+-----------------+-------------------------+ # show some column of tables and also specify over 1000 of UID for User info osquery> select uid, gid, username, shell from users where uid >= 1000; +-------+-------+-----------+---------------+ | uid | gid | username | shell | +-------+-------+-----------+---------------+ | 1000 | 1000 | shaon | /bin/bash | | 1001 | 1001 | wang | /bin/bash | | 65534 | 65534 | nfsnobody | /sbin/nologin | +-------+-------+-----------+---------------+ # show all column of tables for CPU Time osquery> select * from cpu_time; +------+------+------+--------+-------+--------+-----+---------+-------+-------+------------+ | core | user | nice | system | idle | iowait | irq | softirq | steal | guest | guest_nice | +------+------+------+--------+-------+--------+-----+---------+-------+-------+------------+ | 0 | 912 | 0 | 3679 | 54015 | 2149 | 0 | 157 | 0 | 0 | 0 | +------+------+------+--------+-------+--------+-----+---------+-------+-------+------------+ # to quit shell, push Ctrl+D osquery>
[root@linuxprobe~]# vi /etc/osquery/osquery.conf # create new { "options": { // select the osquery config plugin (filesystem is default) "config_plugin": "filesystem", // select the osquery logging plugin (filesystem is default) "logger_plugin": "filesystem", // the PATH of log direcroty "logger_path": "/var/log/osquery", // PID file of the daemon "pidfile": "/var/osquery/osquery.pidfile", // the number of threads for concurrent query "worker_threads": "2", // enable schedule profiling // if adding a query "select * from osquery_schedule" in schedule section, // it's possible to record the performances "enable_monitor": "true" }, "schedule": { // for example, get CPU Time per 300 seconds "cpu_time": { "query": "SELECT * FROM cpu_time;", "interval": 300 }, // for example, get settings of resolv.conf per an hour "dns_resolvers": { "query": "SELECT * FROM dns_resolvers;", "interval": 3600 } }, "packs": { // possible to include other configration files "hardware-monitoring": "/usr/share/osquery/packs/hardware-monitoring.conf" } }
[root@linuxprobe ~]# systemctl start osqueryd [root@linuxprobe ~]# systemctl enable osqueryd Created symlink from /etc/systemd/system/multi-user.target.wants/osqueryd.service to /usr/lib/systemd/system/osqueryd.service.
[root@linuxprobe osquery]# less /var/log/osquery/osqueryd.results.log
上海极道云计算科技有限公司 Shanghai Gaojia Information Technology Co.,Ltd 版权所有 沪ICP备10040193号
地址:上海市虹梅路1905号远中科研楼206室
