How to enable syslog events

[ 1 Requirements ] [ 2 Enablement in Endpoint Agent ]

When the endpoint agent starts up, it attempts to create and properly set permissions for a named pipe for rsyslogd (or similar) to write to. The path for this pipe is determined by the configuration flag --syslog_pipe_path (defaults to /var/osquery/syslog_pipe). To do so, this document describes the steps required to configure rsyslogd to send data to osquery.

Once Rsyslog is properly configured to send events to osquery, data will show up in box.devo_ea.events_linux provided that the default query all_linux_syslog_events (included in DevoEventsPack) is enabled.

Requirements

In order to natively capture syslog events, you must have a system utility for message logging. This document uses rsyslogd as reference as it is shipped extensively and present by default in a wide range of Linux distributions.

It is also possible to use other tools like syslog-ng. See more information here.

Enablement in Endpoint Agent

Configure the system syslog daemon. Add a new file (60-osquery.conf, for example) to /etc/rsyslog.d:

Older format also works for newer versions of Rsyslog, however the new format is recommended.

Rsyslog versions < 7

$template OsqueryCsvFormat, "%timestamp:::date-rfc3339,csv%,%hostname:::csv%,%syslogseverity:::csv%,%syslogfacility-text:::csv%,%syslogtag:::csv%,%msg:::csv%\n"
*.* |/var/osquery/syslog_pipe;OsqueryCsvFormat

Rsyslog versions >= 7

template(
  name="OsqueryCsvFormat"
  type="string"
  string="%timestamp:::date-rfc3339,csv%,%hostname:::csv%,%syslogseverity:::csv%,%syslogfacility-text:::csv%,%syslogtag:::csv%,%msg:::csv%\n"
)
*.* action(type="ompipe" Pipe="/var/osquery/syslog_pipe" template="OsqueryCsvFormat")

Restart Rsyslog daemon:

sudo systemctl restart rsyslog

Restart Endpoint Agent: