osquery
The IBM
QRadar DSM
for osquery receives JSON formatted events from devices that use a Linux® operating system. The osquery DSM is available for QRadar
V7.3.0 and later.
The osquery DSM supports rsyslog and the following queries that are included in the
qradar.pack.conf file for osquery V3.3.2:
- container_processes
- docker_container_mounts
- docker_containers
- listening_ports
- process_open_sockets
- sudoers
- users
- file_events
Important: The supported osquery queries run on a 10 second interval, and only capture
data that is available at that moment. For example, if a new process starts and finishes between
queries of container_processes, that information is not captured by osquery. For information about
osquery differential logs, see the osquery documentation
(https://osquery.readthedocs.io/en/stable/deployment/logging/#results-logs).
The following
supported queries only capture data that is available at the 10 second querying interval:
- container_processes
- docker_container_mounts
- docker_containers
- listening_ports
- process_open_sockets
- sudoers
- users
To integrate osquery with QRadar, complete the following steps:
- If automatic updates are not enabled, RPMs are available for download from the IBM® support website (http://www.ibm.com/support). Download and install the most recent
version of the following RPMs on your QRadar
Console:
- DSM Common RPM
- osquery DSM RPM
- TCP Multiline Syslog protocol RPM
- Protocol Common RPM
- Ensure that the TCP port you want to use on your QRadar Console to receive events is open. For more information, see QRadar®: Managing IPtables firewall ports using the User Interface. (https://www.ibm.com/support/pages/qradar-managing-iptables-firewall-ports-using-user-interface)
- Configure rsyslog on your Linux system. For more information about configuring rsyslog, see Configuring rsyslog on your Linux system.
- Configure osquery on your Linux system. For more information about configuring osquery, see Configuring osquery on your Linux system.
- Add an osquery log source on the QRadar Console to use the TCP multiline syslog protocol. For information about osquery log source parameters, see osquery log source parameters.