Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
// Configure the daemon below:
"options": {
"host_identifier": "scw-xxxxxxx",
"config_plugin": "filesystem",
// Select the osquery logging plugin.
"logger_plugin": "aws_kinesis",
"enable_monitor": "true",
// Splay the scheduled interval for queries.
// This is very helpful to prevent system performance impact when scheduling
// large numbers of queries that run a smaller or similar intervals.
"schedule_splay_percent": "10",
// Write the pid of the osqueryd process to a pidfile/mutex.
//"pidfile": "/var/osquery/osquery.pidfile",
// Clear events from the osquery backing store after a number of seconds.
"events_expiry": "3600",
// Comma-delimited list of table names to be disabled.
// This allows osquery to be launched without certain tables.
//"disable_tables": "foo_bar,time",
// Enable debug or verbose debug output when logging.
"verbose": "true",
"disable_logging": "false",
"enable_syslog": "true",
// Kinesis
"aws_kinesis_stream": "kinesis_logs_stream",
"aws_access_key_id": "XXXXXXXXXXXXXXXX",
"aws_secret_access_key": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"aws_region": "eu-west-1",
"aws_kinesis_period": "10"
"schedule": {
"syslog": {
// "query": "SELECT * FROM syslog WHERE tag LIKE '%sshd%';",
"query": "SELECT * FROM syslog;",
"interval": 10
"etc_hosts": {
"query": "select * from etc_hosts;",
"interval": 10
// Decorators are normal queries that append data to every query.
"decorators": {
"load": [
"SELECT uuid AS host_uuid FROM system_info;",
"SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
// Add default osquery packs or install your own.
// There are several 'default' packs installed with 'make install' or via
// packages and/or Homebrew.
// Linux: /usr/share/osquery/packs
// OS X: /var/osquery/packs
// Homebrew: /usr/local/share/osquery/packs
// make install: {PREFIX}/share/osquery/packs
"packs": {
"osquery-monitoring": "/usr/share/osquery/packs/osquery-monitoring.conf"
// "incident-response": "/usr/share/osquery/packs/incident-response.conf",
// "it-compliance": "/usr/share/osquery/packs/it-compliance.conf",
// "osx-attacks": "/usr/share/osquery/packs/osx-attacks.conf",
// "vuln-management": "/usr/share/osquery/packs/vuln-management.conf",
// "hardware-monitoring": "/usr/share/osquery/packs/hardware-monitoring.conf"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.