Osquery snapshot

Jin_Qian · March 16, 2018, 12:01am

Hi, I am using filebeat to collect osquery snapshot log /var/log/osquery/osqueryd.snapshots.log.

Do I need to add above path to paths setting?
Currently it only contains /var/log/osquery/osqueryd.results.log

steffens · March 16, 2018, 8:52am

Are you collecting the raw log as is or are you using a filebeat module? If both files have the same formatting, you can easily add both files to paths or use a glob.

Jin_Qian · March 27, 2018, 3:01am

I am using filebeat module. Both files are formated as json per line.

The problem is filebeat osquery module does not document if I need include
/var/log/osquery/osqueryd.snapshots.log in the paths config manually.

# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths: ["/var/log/osquery/osqueryd.results.log*"]

So to ensure it works, I set the paths to
var.paths: ["/var/log/osquery/osqueryd.results.log*", "/var/log/osquery/osqueryd.snapshots.log*"]

system · April 24, 2018, 3:01am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat not picking up OSQUERY LOGS SIEM	1	364	October 18, 2020
Relative path to save filebeat logs Beats filebeat	2	1394	January 20, 2017
Osquery module logs not prefixed with osquery.result Beats filebeat	2	392	September 25, 2018
Question about path in filebeat configuration Beats filebeat	4	931	July 19, 2016
Filebeat - Module Elasticsearch 7.16 Beats beats-module , filebeat	1	366	January 26, 2022

Osquery snapshot

Related topics