- \n
- Linux OS (Ubuntu 18.04 or CentOS 7)<\/li>\n
- Root privileges<\/li>\n<\/ul>\n
What we will do<\/h2>\n
- \n
- Install osquery on Linux Operating System<\/li>\n
- Basic Usage of osqueryi Interactive Mode<\/li>\n
- Monitoring System using osquery<\/li>\n<\/ul>\n
Step 1 – Install osquery on Linux Operating System<\/h2>\n
osquery provides its own repository for each platform. Ithis step, we will install the osquery package\u00a0from the official osquery repository.<\/p>\n
On Ubuntu<\/h3>\n
Add the osquery key.
<\/strong><\/p>\nexport OSQUERY_KEY=1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B
sudo apt-key adv –keyserver keyserver.ubuntu.com –recv-keys $OSQUERY_KEY<\/p>\nInstall the osquery package on Ubuntu.<\/p>\n
sudo add-apt-repository ‘deb [arch=amd64] https:\/\/pkg.osquery.io\/deb deb main’
sudo apt install osquery -y
<\/strong><\/p>\nOn CentOS<\/h3>\n
Add the osquery key.
<\/strong><\/p>\ncurl -L https:\/\/pkg.osquery.io\/rpm\/GPG | sudo tee \/etc\/pki\/rpm-gpg\/RPM-GPG-KEY-osquery<\/p>\n
Install the osquery package on CentOS 7.<\/p>\n
sudo yum-config-manager –add-repo https:\/\/pkg.osquery.io\/rpm\/osquery-s3-rpm.repo
sudo yum-config-manager –enable osquery-s3-rpm
sudo yum install osquery<\/p>\nWait for all packages to be installed.<\/p>\n
![\"Install](\"https:\/\/afaghhosting.net\/blog\/wp-content\/uploads\/2018\/08\/how-to-monitor-your-linux-server-using-osquery.png\" "\\"\\"")
<\/a><\/p>\nStep 2 – Basic Usage of osqueryi Interactive Mode<\/h2>\n
osquery provides two main interfaces to the users, osqueryi, and osqueryd.<\/p>\n
osqueryi is the osquery interactive query console. It’s like the ‘mysql’ command shell on the MySQL and the ‘psql’ shell on PostgreSQL database.<\/p>\n
In this step, we will learn the basic usage of the ‘osqueryi’ interactive mode.<\/p>\n
Type the ‘osqueryi’ command on the server terminal, and you will get the osquery interactive console mode.<\/p>\n
osqueryi<\/p>\n
Next, we will learn about the basic command of the osqueryi console mode.<\/p>\n
Show all basic available commands on the interactive mode osqueryi.<\/p>\n
.help<\/p>\n
![\"using](\"https:\/\/afaghhosting.net\/blog\/wp-content\/uploads\/2018\/08\/how-to-monitor-your-linux-server-using-osquery-1.png\" "\\"\\"")
<\/a><\/p>\nShow the current osquery configurations and settings.<\/p>\n
.show<\/p>\n
![\"Show](\"https:\/\/afaghhosting.net\/blog\/wp-content\/uploads\/2018\/08\/how-to-monitor-your-linux-server-using-osquery-2.png\" "\\"\\"")
<\/a><\/p>\nOsquery provides multiple view modes to show query results. The default mode is the ‘pretty’ mode.<\/p>\n
Now we’ll change the view mode of query results, for this guide, we will be using the ‘line’ mode.<\/p>\n
.mode csv
.mode list
.mode column
.mode line
.mode pretty<\/p>\nOsquery exposes the operating system as a relational database system. All info about the system is stored in the osquery tables and we can explore the whole system info by querying all available tables.<\/p>\n
To get a list all available tables in the osquery, run the command below.<\/p>\n
.tables<\/p>\n
![\"Get](\"https:\/\/afaghhosting.net\/blog\/wp-content\/uploads\/2018\/08\/how-to-monitor-your-linux-server-using-osquery-3.png\" "\\"\\"")
<\/a><\/p>\nOnce we know all the available tables in the osquery system, we will look at the columns.<\/p>\n
Use the following command to get the schema (columns, types) of tables.<\/p>\n
.schema users
.schema processes<\/p>\n![\"Get](\"https:\/\/afaghhosting.net\/blog\/wp-content\/uploads\/2018\/08\/how-to-monitor-your-linux-server-using-osquery-4.png\" "\\"\\"")
<\/a><\/p>\nAnd you will get all schema columns of the table.<\/p>\n
Step 3 – Basic Linux Monitoring using query<\/h2>\n
In this step, we will monitor a live Linux system using the osquery. We will monitor the system profile info, users, network interfaces etc through the osqueryi interactive mode.<\/p>\n
Get System Info<\/h3>\n
Show\u00a0details about the system hardware.<\/p>\n
SELECT * FROM system_info;
SELECT hostname, cpu_type, physical_memory, hardware_vendor, hardware_model FROM system_info;<\/p>\n![\"Show](\"https:\/\/afaghhosting.net\/blog\/wp-content\/uploads\/2018\/08\/how-to-monitor-your-linux-server-using-osquery-5.png\" "\\"\\"")
<\/a><\/p>\nGet OS Version<\/h3>\n
Show the current operating system info, including the os version, platform, os patch, and codename.<\/p>\n
SELECT * FROM os_version;<\/p>\n
![\"Show](\"https:\/\/afaghhosting.net\/blog\/wp-content\/uploads\/2018\/08\/how-to-monitor-your-linux-server-using-osquery-6.png\" "\\"\\"")
<\/a><\/p>\nView Kernel Version and Modules<\/h3>\n
To check the kernel info of the system, osquery provides the tables ‘kernel_info’ and the ‘kernel_modules’.<\/p>\n
Show the kernel used by the system.<\/p>\n
SELECT * FROM kernel_info;<\/p>\n
Show all loaded kernel modules on the system.<\/p>\n
SELECT * FROM kernel_modules LIMIT 5;<\/p>\n
![\"get](\"https:\/\/afaghhosting.net\/blog\/wp-content\/uploads\/2018\/08\/how-to-monitor-your-linux-server-using-osquery-7.png\" "\\"\\"")
<\/a><\/p>\nChecking Repository and Packages<\/h3>\n
osquery provides tables for checking repositories and installed packages on both Linux Ubuntu and CentOS.<\/p>\n
– On Ubuntu<\/strong><\/p>\n
On Ubuntu, we can check the available repositories through the ‘apt_sources’ and check packages installed through the ‘deb_packages’.<\/p>\n
Check all available Ubuntu repositories.<\/p>\n
SELECT * FROM apt_sources;
SELECT name, base_uri, release, maintainer, components FROM apt_sources ORDER BY name;<\/p>\nCheck all packages installed using the deb_packages table.<\/p>\n
SELECT * FROM deb_packages;<\/p>\n
Show only the name of package and version.<\/p>\n
SELECT name, version FROM deb_packages ORDER BY name;<\/p>\n
![\"Check](\"https:\/\/afaghhosting.net\/blog\/wp-content\/uploads\/2018\/08\/how-to-monitor-your-linux-server-using-osquery-8.png\" "\\"\\"")
<\/a><\/p>\nFor a specific package, add the name filter.<\/p>\n
SELECT name, version FROM deb_packages WHERE name=”nginx”;<\/p>\n
![\"get](\"https:\/\/afaghhosting.net\/blog\/wp-content\/uploads\/2018\/08\/how-to-monitor-your-linux-server-using-osquery-9.png\" "\\"\\"")
<\/a><\/p>\n– On CentOS<\/strong><\/p>\n
On CentOS, we can check the available repository through the ‘yum_sources’ and check packages installed through the ‘rpm_packages’.<\/p>\n
Check all available CentOS repositories.<\/p>\n
SELECT * FROM yum_sources;
SELECT name, baseurl, enabled FROM yum_sources;<\/p>\nCheck enabled repository by adding the ‘enabled’ filter.<\/p>\n
SELECT name, baseurl, enabled FROM yum_sources WHERE enabled=1;<\/p>\n
![\"Get](\"https:\/\/afaghhosting.net\/blog\/wp-content\/uploads\/2018\/08\/how-to-monitor-your-linux-server-using-osquery-10.png\" "\\"\\"")
<\/a><\/p>\nCheck all packages installed using the rpm_packages table.<\/p>\n
SELECT * FROM rpm_packages;
SELECT name, version FROM rpm_packages ORDER BY name;<\/p>\nFor specific package name, add the name filter.<\/p>\n
SELECT name, version FROM rpm_packages WHERE name=”firewalld”;<\/p>\n
![\"Details](\"https:\/\/afaghhosting.net\/blog\/wp-content\/uploads\/2018\/08\/how-to-monitor-your-linux-server-using-osquery-11.png\" "\\"\\"")
<\/a><\/p>\nMount Disk Info<\/h3>\n
We can use the mounts table to check all details about the system drive, including free inodes, flags, type etc.<\/p>\n
Check all disks mounted by the system.<\/p>\n
SELECT * FROM mounts;
SELECT device, path, type, inodes_free, flags FROM mounts;<\/p>\nFor the specific type of device.<\/p>\n
SELECT device, path, type, inodes_free, flags FROM mounts WHERE type=”ext4″;
SELECT device, path, type, inodes_free, flags FROM mounts WHERE type=”tmpfs”;<\/p>\n![\"Get](\"https:\/\/afaghhosting.net\/blog\/wp-content\/uploads\/2018\/08\/how-to-monitor-your-linux-server-using-osquery-12.png\" "\\"\\"")
<\/a><\/p>\nMemory Info<\/h3>\n
Checking the system memory in bytes.<\/p>\n
SELECT * FROM memory_info;<\/p>\n
![\"Get](\"https:\/\/afaghhosting.net\/blog\/wp-content\/uploads\/2018\/08\/how-to-monitor-your-linux-server-using-osquery-13.png\" "\\"\\"")
<\/a><\/p>\nNetwork Interface Info<\/h3>\n
Checking the network address using ‘interface_addresses’.<\/p>\n
SELECT * FROM interface_addresses;<\/p>\n
![\"Network](\"https:\/\/afaghhosting.net\/blog\/wp-content\/uploads\/2018\/08\/how-to-monitor-your-linux-server-using-osquery-14.png\" "\\"\\"")
<\/a><\/p>\nChecking the network interface details using ‘interface_details’.<\/p>\n
SELECT * FROM interface_details;
SELECT interface, mac, ipackets, opackets, ibytes, obytes FROM interface_details;<\/p>\n![\"Network](\"https:\/\/afaghhosting.net\/blog\/wp-content\/uploads\/2018\/08\/how-to-monitor-your-linux-server-using-osquery-15.png\" "\\"\\"")
<\/a><\/p>\nServer Uptime<\/h3>\n
Checking the server uptime.<\/p>\n
SELECT * FROM uptime;<\/p>\n
![\"\"](\"https:\/\/afaghhosting.net\/blog\/wp-content\/uploads\/2018\/08\/how-to-monitor-your-linux-server-using-osquery-16.png\" "\\"\\"")
<\/a><\/p>\nChecking User<\/h3>\n
osqery provides detail tables for checking system users. We can use the ‘users’ table to check all users on the system, using the ‘last’ table to check users last login, and using the ‘logged_in_users’ to get the logged in user with the active shell.<\/p>\n
To check all available users on the server, use the ‘users’ table.<\/p>\n
SELECT * FROM users;<\/p>\n
For normal users, we can specify the uid to ‘>=1000’.<\/p>\n
SELECT * FROM users WHERE uid>=1000;<\/p>\n
![\"System](\"https:\/\/afaghhosting.net\/blog\/wp-content\/uploads\/2018\/08\/how-to-monitor-your-linux-server-using-osquery-17.png\" "\\"\\"")
<\/a><\/p>\nTo check the last login users, use the ‘last’ table.<\/p>\n
SELECT * FROM last;<\/p>\n
![\"Last](\"https:\/\/afaghhosting.net\/blog\/wp-content\/uploads\/2018\/08\/how-to-monitor-your-linux-server-using-osquery-18.png\" "\\"\\"")
<\/a><\/p>\nFor normal users, fill ‘type’ to ‘7’.<\/p>\n
SELECT username, time, host FROM last WHERE type=7;<\/p>\n
![\"Get](\"https:\/\/afaghhosting.net\/blog\/wp-content\/uploads\/2018\/08\/how-to-monitor-your-linux-server-using-osquery-19.png\" "\\"\\"")
<\/a><\/p>\nChecking the logged in user with active shell, use the ‘logged_in_users’ tables.<\/p>\n
SELECT * FROM logged_in_users;<\/p>\n
IP Tables Firewall Info<\/h3>\n
With the ‘tables’ table, we can check all available rules of the firewall, including the chain, policy, src\/dst IP and port etc.<\/p>\n
Show all iptables rules.<\/p>\n
SELECT * FROM iptables;<\/p>\n
Specify the rule using the custom query below.<\/p>\n
SELECT chain, policy, src_ip, dst_ip FROM iptables WHERE chain=”POSTROUTING” order by src_ip;<\/p>\n
![\"IP](\"https:\/\/afaghhosting.net\/blog\/wp-content\/uploads\/2018\/08\/how-to-monitor-your-linux-server-using-osquery-20.png\" "\\"\\"")
<\/a><\/p>\nProcess Info<\/h3>\n
We can check all application process by using the ‘processes’ table. It provides detailed info about the process including pid, name, path, command etc.<\/p>\n
Basic processes query for checking all running apps.<\/p>\n
SELECT * FROM processes;<\/p>\n
Specify columns for pid etc, path, and the command.<\/p>\n
SELECT pid, name, path, cmdline FROM processes;<\/p>\n
![\"Details](\"https:\/\/afaghhosting.net\/blog\/wp-content\/uploads\/2018\/08\/how-to-monitor-your-linux-server-using-osquery-21.png\" "\\"\\"")
<\/a><\/p>\nChecking Cron Job<\/h3>\n
Check available cron job and time of script run using the ‘crontab’ table.<\/p>\n
SELECT * FROM crontab;<\/p>\n
![\"Cronjobs\"](\"https:\/\/afaghhosting.net\/blog\/wp-content\/uploads\/2018\/08\/how-to-monitor-your-linux-server-using-osquery-22.png\" "\\"\\"")
<\/a><\/p>\nSUID Binary File<\/h3>\n
SUID (Set owner User ID up on execution) is a special type of file permissions given to a file and mostly binary executable files.<\/p>\n
Check all available said binary file.<\/p>\n
SELECT * FROM suid_bin;<\/p>\n
Specify the username and group name.<\/p>\n
SELECT * FROM suid_bin WHERE username=”root” AND groupname=”nobody” order by path;<\/p>\n
![\"List](\"https:\/\/afaghhosting.net\/blog\/wp-content\/uploads\/2018\/08\/how-to-monitor-your-linux-server-using-osquery-23.png\" "\\"\\"")
<\/a><\/p>\nAnd all the above is the basic Linux system monitoring using osquery.<\/p>\n
Reference<\/h2>\n
\nShare this page:<\/b><\/p>\n
\n
![\"\"](\"https:\/\/afaghhosting.net\/blog\/wp-content\/uploads\/2018\/08\/how-to-monitor-your-linux-server-using-osquery-24.png\" "\\"\\"")
<\/a>
\n![\"\"](\"https:\/\/afaghhosting.net\/blog\/wp-content\/uploads\/2018\/08\/how-to-monitor-your-linux-server-using-osquery-25.png\" "\\"\\"")
<\/a>
\n![\"\"](\"https:\/\/afaghhosting.net\/blog\/wp-content\/uploads\/2018\/08\/how-to-monitor-your-linux-server-using-osquery-26.png\" "\\"\\"")
<\/a>
\n![\"\"](\"https:\/\/afaghhosting.net\/blog\/wp-content\/uploads\/2018\/08\/how-to-monitor-your-linux-server-using-osquery-27.png\" "\\"\\"")
<\/a>\n<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"Osquery is an open source Operating System monitoring, query, and analytics software. Created by Facebook, it exposes an operating system as a high-performance relational database that can be queried using SQL-based queries. Osquery is a multi-platform software, can be installed on Linux, Windows, MacOS, and FreeBSD. Osquery allows us to explore\u00a0the operating system profile, performance, …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[36],"tags":[],"class_list":["post-6245","post","type-post","status-publish","format-standard","hentry","category-36"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/6245","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=6245"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/6245\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=6245"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=6245"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=6245"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"Install](\"https:\/\/www.howtoforge.com\/images\/how_to_monitor_linux_server_using_osquery\/big\/1.png\" "\\"\\"")
<\/a><\/p>\n