CentOS 7
 

OSQuery : スケジュール監視する
2016/10/16
 
スケジュールの設定をしてデーモンプログラムを起動することで、サーバーの状態を定期的にログに出力して監視することができます。
[1] 設定ファイルに必要な設定を記述してサービスを起動します。
[root@dlp ~]#
vi /etc/osquery/osquery.conf
# 新規作成

{
  "options": {
    // 構成設定をどこから参照するかを定義 (filesystem はデフォルト)
    "config_plugin": "filesystem",

    // ログの出力先を定義 (filesystem はデフォルト)
    "logger_plugin": "filesystem",

    // ログ出力先のPATHを指定
    "logger_path": "/var/log/osquery",

    // デーモンの PID ファイル
    "pidfile": "/var/osquery/osquery.pidfile",

    // 同時実行クエリーのスレッド数
    "worker_threads": "2",

    // スケジュールされたクエリーの情報を収集
    // schedule に「select * from osquery_schedule」を追加することでログ出力可
    "enable_monitor": "true"
  },

  "schedule": {
    // 例として CPU Time を 300秒毎に取得
    "cpu_time": {
      "query": "SELECT * FROM cpu_time;",
      "interval": 300
    },
    // 例として resolv.conf 設定を一時間毎に取得
    "dns_resolvers": {
      "query": "SELECT * FROM dns_resolvers;",
      "interval": 3600
    }
  },

   "packs": {
     // 他の設定ファイルをインクルード可
     "hardware-monitoring": "/usr/share/osquery/packs/hardware-monitoring.conf"
   }
}

[root@dlp ~]#
systemctl start osqueryd

[root@dlp ~]#
systemctl enable osqueryd
[2] 設定した interval に従って設定した出力先に結果が出力されます。ただし、前回取得時の結果と差異がある場合のみ、続けて出力されます。 上記の例の dns_resolvers の設定のように、内容が頻繁に変わらないものについては、初回にロギングされて以降は、内容に変更があるまでログ出力はされません。
[root@dlp ~]#
cat /var/log/osquery/osqueryd.results.log

{"name":"system_info","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:37:35 2016 UTC","unixTime":"1...
{"name":"system_info","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:37:35 2016 UTC","unixTime":"1...
{"name":"system_info","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:37:35 2016 UTC","unixTime":"1...
{"name":"system_info","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:37:35 2016 UTC","unixTime":"1...
{"name":"system_info","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:37:35 2016 UTC","unixTime":"1...
{"name":"system_info","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:37:35 2016 UTC","unixTime":"1...
{"name":"system_info","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:37:35 2016 UTC","unixTime":"1...
{"name":"system_info","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:37:35 2016 UTC","unixTime":"1...
{"name":"dns_resolvers","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:38:00 2016 UTC","unixTime":...
{"name":"dns_resolvers","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:38:00 2016 UTC","unixTime":...
{"name":"system_info","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:38:30 2016 UTC","unixTime":"1...
{"name":"system_info","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:38:30 2016 UTC","unixTime":"1...
{"name":"system_info","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:38:30 2016 UTC","unixTime":"1...
{"name":"system_info","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:38:30 2016 UTC","unixTime":"1...
{"name":"system_info","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:38:30 2016 UTC","unixTime":"1...
{"name":"system_info","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:38:30 2016 UTC","unixTime":"1...
{"name":"system_info","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:38:30 2016 UTC","unixTime":"1...
{"name":"system_info","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:38:30 2016 UTC","unixTime":"1...
{"name":"system_info","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:39:25 2016 UTC","unixTime":"1...
{"name":"system_info","hostIdentifier":"dlp.srv.world","calendarTime":"Mon Oct 17 06:39:25 2016 UTC","unixTime":"1...
 
Tweet