However, there are several open-source tools that osquery integrates with or is packaged with that bear mentioning, and many more that can be integrated or used in complement with osquery via extensions.Īugeas: Commonly used to read configuration files into key-value pairs this tool is built into osquery to make *nix config files parse-able by osquery. We are building this potential solution set around osquery, so we will assume that osquery is the primary tool used to inspect the endpoint. Endpoint Inspection Tools What tools you will be inspecting the endpoint to get data with?
#OSQUERY VS COLLECTD UPDATE#
It allows for configuration and update of software packages on macOS, and can be used to deploy osquery. Munki: The outlier of the group, Munki is specific to macOS fleets.
For a more comprehensive breakdown of how they stack up, check out this blog post. We’ve split them into six respective functions:Ĭombining one tool from each of these functional areas will be a Do-It-Yourself starting point for deploying osquery at scale.Įndpoint Configuration/Deployment How will you efficiently and seamlessly deliver osquery to the endpoint?Ĭhef, Ansible, and Puppet: while each of these tools have their own strengths, they all serve to allow you to automate provisioning and configuration of endpoints for a variety of operating systems, and can be used to push osquery packages and configurations out to endpoints at scale. This list is by no means exhaustive, but we’ve distilled it down to some of the most commonly used tools for building an osquery ecosystem.
Get an introduction to osquery: Learn the basics of osquery and SQL in this free training course.
#OSQUERY VS COLLECTD HOW TO#
In some cases this could mean introducing a commercial offering, but in this post we’re going to outline how to make osquery work using supplementary open-source tools.
When you look at developing a solution like this, osquery is a key part, but the entire system is not possible without additional components handling the transport, aggregation, storage, and presentation of all the rich data that osquery can provide. This, fundamentally, can help you see why osquery is a handy utility right out of the box, but the real value of the instrumentation agent is discovered when the data it can access is gathered and analyzed at scale, across an entire enterprise. Using SQL, you can write a single query to explore any given data, regardless of operating system (more on osquery basics here). According to the official osquery docs, osquery (os=operating system) is an operating system instrumentation framework that exposes an operating system as a high-performance relational database.
0 kommentar(er)
