All Apps and Add-ons

Splunk App for OSquery: Where to install the packs to get the dashboards working?

j4adam
Communicator

I have the Splunk App for OSquery installed but the dashboard is not populating. All of the drop-downs are greyed out and I think it's because I have the packs installed incorrectly / in the wrong place.

The documentation on the app is pretty sparse and I don't know anything about osquery itself so I'm fumbling in the dark here. We've installed the packs on the nodes sending data to splunk. Should they be installed somewhere else?

The app itself has basically nothing except dashboards and a single props stanza:

[osqueryd.results]
EXTRACT-pack = (?pack_[^_]+)_

Any ideas?

Thanks!

0 Karma
1 Solution

j4adam
Communicator

I got it working. The issue was that the process of sending the data via rsyslog was that the resulting log file was in syslog format instead of the anticipated JSON format. The solution was to stop sending it via syslog and monitor the file directly with a Universal Forwarder (as the app suggests).

The packs do need to be installed on the nodes collecting osquery data and the app itself installed on the Search Head(s).

Thanks again to @tprzelomiec for the help debugging the issue.

View solution in original post

j4adam
Communicator

I got it working. The issue was that the process of sending the data via rsyslog was that the resulting log file was in syslog format instead of the anticipated JSON format. The solution was to stop sending it via syslog and monitor the file directly with a Universal Forwarder (as the app suggests).

The packs do need to be installed on the nodes collecting osquery data and the app itself installed on the Search Head(s).

Thanks again to @tprzelomiec for the help debugging the issue.

View solution in original post

tprzelomiec
Splunk Employee
Splunk Employee

The dropdowns are populated by searches so either you're not getting data in or it's coming in under the wrong sourcetype.

Did you follow the setup instructions from http://osquery.readthedocs.io/en/stable/ ? Is the osquery service running?

The packs should be installed on each node you're running osquery on, so that sounds right.

Is there anything being written to /var/log/osquery/osqueryd.results.log ?

j4adam
Communicator

I have about 8 boxes running osquery being sent to a heavy forwarder running syslog-ng. On the forwarder I an monitoring the directory using /osquery//YYYY_MM_DD_osquery.log generated by syslog-ng. The inputs.conf is sourcetyping them as osqueryd.results as the app wishes and there is a ton of data coming in that is searchable.

When I look at the searches they are looking for fields that don't exist (there are no extractions at all in the app, just that one props.

0 Karma

tprzelomiec
Splunk Employee
Splunk Employee

OSquery outputs in json format which is natively understood by Splunk. What version of Splunk are you running?

You can try adding a "local" directory to the app(on the search head), create a props.conf file in there and add the following
[osqueryd.results]
KV_MODE=json

0 Karma

j4adam
Communicator

I'm running 6.5.1. I'll give that a shot, actually. That sounds promising.

0 Karma

j4adam
Communicator

That got some fields but still not working great. I have a theory that maybe sending the data over syslog (currently sending it via rsyslog to the syslog-ng server) might be messing with things. I'm going to try logging it directly from the box using a UF and see if that fixes it.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!