Skip to content

Instantly share code, notes, and snippets.

@davidmerrick

davidmerrick/README.md

Last active March 7, 2021 21:27
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save davidmerrick/629905b1831fee6ef1c4f3a76fcfeab0 to your computer and use it in GitHub Desktop.
Save davidmerrick/629905b1831fee6ef1c4f3a76fcfeab0 to your computer and use it in GitHub Desktop.
Download ZIP
Monitoring disk space with osquery
Raw
README.md

Goal here is to monitor disk space usage on my parents' iMac, push it to Kinesis, and alert if it hits a certain threshold.

Prerequisites

Set up a Kinesis stream called osquery-firehose.

Steps

  1. Download the config.
  2. Run the command in osquery.sh.
  3. This will log to /var/log/osquery/osqueryd.results.log

LaunchDaemon

To create a LaunchDaemon which will run on startup, do the following:

sudo cp path/to/your.conf /var/osquery/osquery.conf
sudo cp com.facebook.osqueryd.plist /Library/LaunchDaemons/
sudo launchctl load /Library/LaunchDaemons/com.facebook.osqueryd.plist

Useful SQL

Select the most recent values from Athena:

WITH summary AS ( SELECT p.hostidentifier, p.unixtime, p.calendartime, p.columns.gigs_free as gigs_free, ROW_NUMBER() OVER(PARTITION BY p.hostidentifier ORDER BY p.unixtime DESC) AS rk FROM osquery_merrick p) SELECT s.hostidentifier, s.calendartime, s.gigs_free FROM summary s WHERE s.rk = 1

Alerting

Reference:

Raw
aws_perms.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"firehose:PutRecord",
"firehose:PutRecordBatch"
],
"Resource": "ARN for your stream"
}
]
}
Raw
com.facebook.osqueryd.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>KeepAlive</key>
<true/>
<key>Label</key>
<string>com.facebook.osqueryd</string>
<key>ProgramArguments</key>
<array>
<string>/usr/local/bin/osqueryd</string>
</array>
<key>StandardErrorPath</key>
<string>/var/log/osquery/launcher-stderr.log</string>
<key>StandardOutPath</key>
<string>/var/log/osquery/launcher-stdout.log</string>
<key>RunAtLoad</key>
<true/>
<key>ThrottleInterval</key>
<integer>60</integer>
</dict>
</plist>
Raw
config.json
{
"options": {
"host_identifier": "hostname",
"schedule_splay_percent": 10,
"logger_plugin": "filesystem,aws_firehose",
"aws_firehose_stream": "osquery-firehose",
"aws_access_key_id": "nope",
"aws_secret_access_key": "nope",
"aws_region": "us-west-2"
},
"schedule": {
"disk_usage": {
"query": "select path, type, round((blocks_available * blocks_size *10e-10),2) as gigs_free from mounts where path='/';",
"interval": 43200
}
}
}
Raw
osquery.sh
sudo osqueryd --config_path=/path/to/config.json
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment