Versions Compared

Old Version 2

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

To enable this pack you need to create a new pack with the same queries. Follow the steps below:

  1. Add a new file called agent_monitoring.yaml in playbooks/roles/deam-packs/files/optional-devo-packs directory (relative to the path where Devo EA Manager was extracted) with the following content:

    Code Block
    ---
apiVersion: v1
kind: pack
spec:
  name: DevoAgentMonitoringPack
  queries:
  - description: Information about the event publishers and subscribers.
    platform: all
    interval: 60
    name: devo_osquery_events
    query: devo_osquery_events
    snapshot: true
  - description: List of active osquery extensions.
    platform: all
    interval: 300
    name: devo_osquery_extensions
    query: devo_osquery_extensions
    snapshot: true
  - description: Configurable flags that modify osquery's behavior.
    platform: all
    interval: 900
    name: devo_osquery_flags
    query: devo_osquery_flags
    snapshot: true
  - description: Top level information about the running version of osquery.
    platform: all
    interval: 3600
    name: devo_osquery_info
    query: devo_osquery_info
    snapshot: true
  - description: Information about the current query packs that are loaded in osquery.
    platform: all
    interval: 900
    name: devo_osquery_packs
    query: devo_osquery_packs
    snapshot: true
  - description: List the osquery registry plugins.
    platform: all
    interval: 300
    name: devo_osquery_registry
    query: devo_osquery_registry
    snapshot: true
  - description: Information about the current queries that are scheduled in osquery.
    platform: all
    interval: 60
    name: devo_osquery_schedule
    query: devo_osquery_schedule
    snapshot: true
  targets:
    labels:
    - All Hosts
---
apiVersion: v1
kind: query
spec:
  name: devo_osquery_events
  description: Information about the event publishers and subscribers.
  query: SELECT *, "devo.ea.agent.events_pubsub" AS __devoTag FROM osquery_events;
---
apiVersion: v1
kind: query
spec:
  name: devo_osquery_extensions
  description: List of active osquery extensions.
  query: SELECT *, "devo.ea.agent.extensions" AS __devoTag FROM osquery_extensions;
---
apiVersion: v1
kind: query
spec:
  name: devo_osquery_flags
  description: Configurable flags that modify osquery's behavior.
  query: SELECT *, "devo.ea.agent.flags" AS __devoTag FROM osquery_flags;
---
apiVersion: v1
kind: query
spec:
  name: devo_osquery_info
  description: Top level information about the running version of osquery.
  query: SELECT *, "devo.ea.agent.info" AS __devoTag FROM osquery_info;
---
apiVersion: v1
kind: query
spec:
  name: devo_osquery_packs
  description: Information about the current query packs that are loaded in osquery.
  query: SELECT *, "devo.ea.agent.packs" AS __devoTag FROM osquery_packs;
---
apiVersion: v1
kind: query
spec:
  name: devo_osquery_registry
  description: List the osquery registry plugins.
  query: SELECT *, "devo.ea.agent.registry" AS __devoTag FROM osquery_registry;
---
apiVersion: v1
kind: query
spec:
  name: devo_osquery_schedule
  description: Information about the current queries that are scheduled in osquery.
  query: SELECT *, "devo.ea.agent.schedule" AS __devoTag FROM osquery_schedule;

     

  2. Save the changes and add the new pack to the inventory file you used for your deployment as in the following code snippet (line 12):

    Code Block
    all:
  vars:
    deam_fqdnname: devo-ea-manager
    deam_admin_passwd: <deam_admin_passwd>
    dea_ap_repo_passwd: <dea_ap_repo_passwd>
    deam_redis_address: localhost:6379
    deam_mysql_address: localhost:3306
    deam_relay_entrypoint: tcp://collector-us.

...

  1. devo.io:443
    deam_packs_enabled:
      - configuration.yaml
      - fetchfiles.yaml
      - agent_monitoring.yaml     # New pack
  hosts:
    devo-ea-manager:
      # Set ansible_host your public ip used to conncet from ansbile and devo-ea agents
      ansible_host: <EAM host IP>
      ansible_user: <Server user>
      ansible_ssh_pass: <Super Secure Password>
      # Only required if you connect with password
      ansible_ssh_common_args: '-o StrictHostKeyChecking=no'
      # python3 required for Ubuntu 18 ansible-playbooks
      ansible_python_interpreter: /usr/bin/python3
  children:
    devoeamanagerserverone:
      hosts:
        devo-ea-manager:
    deamintsrvs:
      hosts:
        devo-ea-manager:
    deaagentpackager:
      hosts:
        devo-ea-manager:
    selfsigenedcertificates: # Alternative providedcertificates
      hosts:
        devo-ea-manager:
    devoeaagents:
      hosts:

     

  2. Save the changes and execute deam-packs playbook to update your EAM with the new pack:

    Code Block
    ansible-playbook -i <inventory_file> playbooks/deam-packs

     

  3. Ensure the new pack appears in the EAM Packs tab.