I have successfully deployed both OSQuery manager and one agent to a Linux machine.
However; my deployment to a Windows box doesn't seem to be working.
I believe it's because the log path needs to be modified to something suitable to Windows.
This is the default value: /var/log/osquery/osqueryd.results.log*
When installing the Elastic Agent on the Windows host, did you use administrator permissions at the command prompt? I recommend creating an inbound rule in the Windows Firewall for the Elastic Agent. In some situations, Windows Firewall blocks remote communications.
What version of Windows? On this host, is there any endpoint protection solution such as antivirus?
Which integration are you using? Osquery Logs or Osquery Manager?
The first one requires that you already have osquery installed on the host and will collect the logs for it, the second one will use the osqueryd that is shipped with the agent and allows you to run queries directly from Kibana.
OK that worked now that I understand the difference between the two.
For some reason I thought "Logs" was a client and "Manager" was the server side.
I guess I overcomplicated things.
Thanks for the reply, this will be a great addition to our DFIR capability.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.