cocowalla/osquery.conf

## osquery.conf
{
  // Configure the daemon below:
  "options": {
    // Select the osquery config plugin.
    "config_plugin": "filesystem",

    // Select the osquery logging plugin.
    "logger_plugin": "filesystem",

    // The log directory stores info, warning, and errors.
    // If the daemon uses the 'filesystem' logging retriever then the log_dir
    // will also contain the query results.
    "logger_path": "/var/log/osquery",

    // Set 'disable_logging' to true to prevent writing any info, warning, error
    // logs. If a logging plugin is selected it will still write query results.
    "disable_logging": "false",

    "disable_events": "false",
    "disable_audit": "false",
    "audit_allow_config": "true",
    "audit_persist": "true",
    "audit_allow_process_events": "true",
    "audit_allow_fim_events": "true",
    "audit_allow_user_events": "true",
    "audit_allow_sockets": "true",
    "extensions_socket": "/tmp/audit_test",
    "verbose": "true",

    "log_result_events": "true",
    "enable_monitor": "true",

    //"disable_events": "false",
    //"disable_audit": "false",
    //"audit_allow_process_events",
    //"host_identifier": "hostname",

    // Splay the scheduled interval for queries.
    // This is very helpful to prevent system performance impact when scheduling
    // large numbers of queries that run a smaller or similar intervals.
    //"schedule_splay_percent": "10",

    // A filesystem path for disk-based backing storage used for events and
    // query results differentials. See also 'use_in_memory_database'.
    "database_path": "/var/osquery/osquery.db",

    // Comma-delimited list of table names to be disabled.
    // This allows osquery to be launched without certain tables.
    //"disable_tables": "foo_bar,time",

    "utc": "true"
  },

  // Define a schedule of queries:
  "schedule": {
    // This is a simple example query that outputs basic system information.
    "system_info": {
      // The exact query to run.
      "query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;",
      // The interval in seconds to run this query, not an exact interval.
      "interval": 3600
    }
  },

  // Decorators are normal queries that append data to every query.
  "decorators": {
    "load": [
      "SELECT uuid AS host_uuid FROM system_info;",
      "SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
    ]
  },

  // Add default osquery packs or install your own.
  //
  // There are several 'default' packs installed with 'make install' or via
  // packages and/or Homebrew.
  //
  // Linux:        /usr/share/osquery/packs
  // OS X:         /var/osquery/packs
  // Homebrew:     /usr/local/share/osquery/packs
  // make install: {PREFIX}/share/osquery/packs
  //
  "packs": {
    "fim": "/usr/local/share/osquery/packs/fim.conf"
  }
}
	{
	// Configure the daemon below:
	"options": {
	// Select the osquery config plugin.
	"config_plugin": "filesystem",

	// Select the osquery logging plugin.
	"logger_plugin": "filesystem",

	// The log directory stores info, warning, and errors.
	// If the daemon uses the 'filesystem' logging retriever then the log_dir
	// will also contain the query results.
	"logger_path": "/var/log/osquery",

	// Set 'disable_logging' to true to prevent writing any info, warning, error
	// logs. If a logging plugin is selected it will still write query results.
	"disable_logging": "false",

	"disable_events": "false",
	"disable_audit": "false",
	"audit_allow_config": "true",
	"audit_persist": "true",
	"audit_allow_process_events": "true",
	"audit_allow_fim_events": "true",
	"audit_allow_user_events": "true",
	"audit_allow_sockets": "true",
	"extensions_socket": "/tmp/audit_test",
	"verbose": "true",

	"log_result_events": "true",
	"enable_monitor": "true",

	//"disable_events": "false",
	//"disable_audit": "false",
	//"audit_allow_process_events",
	//"host_identifier": "hostname",

	// Splay the scheduled interval for queries.
	// This is very helpful to prevent system performance impact when scheduling
	// large numbers of queries that run a smaller or similar intervals.
	//"schedule_splay_percent": "10",

	// A filesystem path for disk-based backing storage used for events and
	// query results differentials. See also 'use_in_memory_database'.
	"database_path": "/var/osquery/osquery.db",

	// Comma-delimited list of table names to be disabled.
	// This allows osquery to be launched without certain tables.
	//"disable_tables": "foo_bar,time",

	"utc": "true"
	},

	// Define a schedule of queries:
	"schedule": {
	// This is a simple example query that outputs basic system information.
	"system_info": {
	// The exact query to run.
	"query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;",
	// The interval in seconds to run this query, not an exact interval.
	"interval": 3600
	}
	},

	// Decorators are normal queries that append data to every query.
	"decorators": {
	"load": [
	"SELECT uuid AS host_uuid FROM system_info;",
	"SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
	]
	},

	// Add default osquery packs or install your own.
	//
	// There are several 'default' packs installed with 'make install' or via
	// packages and/or Homebrew.
	//
	// Linux: /usr/share/osquery/packs
	// OS X: /var/osquery/packs
	// Homebrew: /usr/local/share/osquery/packs
	// make install: {PREFIX}/share/osquery/packs
	//
	"packs": {
	"fim": "/usr/local/share/osquery/packs/fim.conf"
	}
	}