How to enable syslog events
- Juan Tomás Alonso Nieto (Deactivated)
- Borja Moro Moreno
When the endpoint agent starts up, it will attempt to create (and properly set permissions for) a named pipe for rsyslogd (or similar) to write to. The path for this pipe is determined by the configuration flag --syslog_pipe_path (defaults to /var/osquery/syslog_pipe). To do so, this document describes the steps required to configure rsyslogd to send data to osquery.
Once Rsyslog is properly configured to send events to osquery, data will show up in box.devo_ea.events_linux provided that the default query all_linux_syslog_events (included in DevoEventsPack) is enabled.
Requirements
In order to be able to natively capture syslog events, it is required to have a system utility for message logging. This document will use rsyslogd as reference as it is shipped extensively and present by default in a wide range of Linux distributions.
It is also possible to use other tools like syslog-ng, see more info here.
Enablement in Endpoint Agent
Configure the system syslog daemon. Add a new file (i.e 60-osquery.conf) to /etc/rsyslog.d:
Older format also works for newer versions of Rsyslog, however new format is recommended.
Rsyslog versions < 7
$template OsqueryCsvFormat, "%timestamp:::date-rfc3339,csv%,%hostname:::csv%,%syslogseverity:::csv%,%syslogfacility-text:::csv%,%syslogtag:::csv%,%msg:::csv%\n"
*.* |/var/osquery/syslog_pipe;OsqueryCsvFormatRsyslog versions >= 7
template(
name="OsqueryCsvFormat"
type="string"
string="%timestamp:::date-rfc3339,csv%,%hostname:::csv%,%syslogseverity:::csv%,%syslogfacility-text:::csv%,%syslogtag:::csv%,%msg:::csv%\n"
)
*.* action(type="ompipe" Pipe="/var/osquery/syslog_pipe" template="OsqueryCsvFormat")Restart Rsyslog daemon
sudo systemctl restart rsyslogRestart endpoint agent