版权声明:本文为木偶人shaon原创文章,转载请注明原文地址,非常感谢。 https://cloud.tencent.com/developer/article/1434658
[root@linuxprobe~]# yum -y install https://osquery-packages.s3.amazonaws.com/centos7/noarch/osquery-s3-centos7-repo-1-0.0.noarch.rpm
[root@linuxprobe~]# yum -y install osquery
osquery 使用文档: https://osquery.io/docs/tables/
# 使用例子
# run osquery shell
[root@linuxprobe~]# osqueryi
osquery - being built, with love, at Facebook
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Using a virtual database. Need help, type '.help'
osquery>
# show all column of tables for OS version
osquery> select * from os_version;
+--------------+----------+-------+-------+-------+-------+----------+---------------+----------+
| name | version | major | minor | patch | build | platform | platform_like | codename |
+--------------+----------+-------+-------+-------+-------+----------+---------------+----------+
| CentOS Linux | 7 (Core) | 7 | | | | centos | rhel fedora | |
+--------------+----------+-------+-------+-------+-------+----------+---------------+----------+
# show some column of tables for System info
osquery> select hostname, cpu_brand, hardware_vendor, hardware_model from system_info;
+----------------+-----------------------------------------+-----------------+-------------------------+
| hostname | cpu_brand | hardware_vendor | hardware_model |
+----------------+-----------------------------------------+-----------------+-------------------------+
| linuxprobe.org | Intel(R) Core(TM) i5-4590 CPU @ 3.30GHz | VMware, Inc. | VMware Virtual Platform |
+----------------+-----------------------------------------+-----------------+-------------------------+
# show some column of tables and also specify over 1000 of UID for User info
osquery> select uid, gid, username, shell from users where uid >= 1000;
+-------+-------+-----------+---------------+
| uid | gid | username | shell |
+-------+-------+-----------+---------------+
| 1000 | 1000 | shaon | /bin/bash |
| 1001 | 1001 | wang | /bin/bash |
| 65534 | 65534 | nfsnobody | /sbin/nologin |
+-------+-------+-----------+---------------+
# show all column of tables for CPU Time
osquery> select * from cpu_time;
+------+------+------+--------+-------+--------+-----+---------+-------+-------+------------+
| core | user | nice | system | idle | iowait | irq | softirq | steal | guest | guest_nice |
+------+------+------+--------+-------+--------+-----+---------+-------+-------+------------+
| 0 | 912 | 0 | 3679 | 54015 | 2149 | 0 | 157 | 0 | 0 | 0 |
+------+------+------+--------+-------+--------+-----+---------+-------+-------+------------+
# to quit shell, push Ctrl+D
osquery>
[root@linuxprobe~]# vi /etc/osquery/osquery.conf
# create new
{
"options": {
// select the osquery config plugin (filesystem is default)
"config_plugin": "filesystem",
// select the osquery logging plugin (filesystem is default)
"logger_plugin": "filesystem",
// the PATH of log direcroty
"logger_path": "/var/log/osquery",
// PID file of the daemon
"pidfile": "/var/osquery/osquery.pidfile",
// the number of threads for concurrent query
"worker_threads": "2",
// enable schedule profiling
// if adding a query "select * from osquery_schedule" in schedule section,
// it's possible to record the performances
"enable_monitor": "true"
},
"schedule": {
// for example, get CPU Time per 300 seconds
"cpu_time": {
"query": "SELECT * FROM cpu_time;",
"interval": 300
},
// for example, get settings of resolv.conf per an hour
"dns_resolvers": {
"query": "SELECT * FROM dns_resolvers;",
"interval": 3600
}
},
"packs": {
// possible to include other configration files
"hardware-monitoring": "/usr/share/osquery/packs/hardware-monitoring.conf"
}
}
[root@linuxprobe ~]# systemctl start osqueryd
[root@linuxprobe ~]# systemctl enable osqueryd
Created symlink from /etc/systemd/system/multi-user.target.wants/osqueryd.service to /usr/lib/systemd/system/osqueryd.service.
[root@linuxprobe osquery]# less /var/log/osquery/osqueryd.results.log