|
|
Log in / Subscribe / Register

System monitoring with osquery

System monitoring with osquery

Posted May 26, 2017 9:37 UTC (Fri) by amarao (guest, #87073)
Parent article: System monitoring with osquery

I had really excited to read about it. I even has played with it in a sandbox machine for awhile.

There was one thing which I assumed to be supported: remote queries. I assumed that osqueryi (command line utility) can connect to remove osqueryd. It was so obvious to have and to do.

As far as I could see, there is not a single option which allows osqueryd to listen on TCP socket.

When I realized that this is not a 'remote SQL interface to your servers', most of my enthusiasm has faded. Yes, this thing is interesting, but it forces too much policy onto users, and it provides too few mechanisms.

to post comments

System monitoring with osquery

Posted May 26, 2017 10:25 UTC (Fri) by mathstuf (subscriber, #69389) [Link] (3 responses)

Remote communication can require an authentication scheme first which may not have been implemented yet. If you want, couldn't you use socat and/or SSH port forwarding to access the domain socket (I assume) it is using?

System monitoring with osquery

Posted May 26, 2017 10:31 UTC (Fri) by amarao (guest, #87073) [Link] (2 responses)

Yes, we could use ssh for this. Actually, in production, we're already using ssh, with old-school nagios checks under shinken. It works, but constant ssh sessions cause big strain on system. PAM, auth logging, key negotiations (including host key changes) - it's all too bulky and asks for refactoring.

I thought about trying osquery for this, but, as it seems, it wouldn't solve any of those problems. Too sad.

System monitoring with osquery

Posted May 29, 2017 11:34 UTC (Mon) by robbe (guest, #16131) [Link] (1 responses)

Take a look at ControlMaster and friends in ssh_config(5).

System monitoring with osquery

Posted May 29, 2017 12:05 UTC (Mon) by amarao (guest, #87073) [Link]

> Take a look at ControlMaster and friends in ssh_config(5).

As administrator I could say one thing: Never ever use ControlMaster for monitoring purposes. ControlMaster works well if servers and networks work well. But monitoring should continue to work even there are some nasty things happen with network and hosts. If previous TCP connection stuck in oblivion due to stalled contrack, or RST which was lost in turbulence, ControlMaster will cause massive false positives, distracting people from actual issues, or even masking actual problems on hosts by mundane 'network glitch' issue.

System monitoring with osquery

Posted May 27, 2017 6:59 UTC (Sat) by antifuchs (subscriber, #34569) [Link]

At work I believe we use doorman (https://github.com/mwielgoszewski/doorman) for this, and it works reasonably well.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds