LWN: Comments on "System monitoring with osquery"

System monitoring with osquery

yodermk — Sun, 04 Jun 2017 18:57:12 +0000

This would be nice as a PostgreSQL foreign data wrapper. Then you could do even more arbitrary queries and data manipulation and query many of them together with other things from a single connection.

System monitoring with osquery

teddy — Tue, 30 May 2017 07:11:04 +0000

Hi all, osquery developer here, always glad to hear positive feedback about the project and that people are deriving value.

From the Linux-based OS perspective we receive a lot of feedback about the build and dependency setup. Our cmake build does not play nice with operating system package managers as it tries to produce binaries that are portable: linking against old ABIs, statically building and compiling most C++ dependencies, setting up a brew-based local copy of modern tools, and holding GTest+SQLite in a submodule. If any package maintainer (who also dabbles in C++ development) wants to bring osquery into your OS's manager please be patient with us, we have the best intentions and would be more than happy for the help!

If anyone is interested in new features or expanding the set of virtual tables please say hi in the project's Slack or send us a Github issue: https://github.com/facebook/osquery

System monitoring with osquery

amarao — Mon, 29 May 2017 12:05:25 +0000

> Take a look at ControlMaster and friends in ssh_config(5).

As administrator I could say one thing: Never ever use ControlMaster for monitoring purposes. ControlMaster works well if servers and networks work well. But monitoring should continue to work even there are some nasty things happen with network and hosts. If previous TCP connection stuck in oblivion due to stalled contrack, or RST which was lost in turbulence, ControlMaster will cause massive false positives, distracting people from actual issues, or even masking actual problems on hosts by mundane 'network glitch' issue.

System monitoring with osquery

robbe — Mon, 29 May 2017 11:34:44 +0000

Take a look at ControlMaster and friends in ssh_config(5).

System monitoring with osquery

antifuchs — Sat, 27 May 2017 06:59:29 +0000

At work I believe we use doorman (https://github.com/mwielgoszewski/doorman) for this, and it works reasonably well.

System monitoring with osquery

amarao — Fri, 26 May 2017 10:31:04 +0000

Yes, we could use ssh for this. Actually, in production, we're already using ssh, with old-school nagios checks under shinken. It works, but constant ssh sessions cause big strain on system. PAM, auth logging, key negotiations (including host key changes) - it's all too bulky and asks for refactoring.

I thought about trying osquery for this, but, as it seems, it wouldn't solve any of those problems. Too sad.

System monitoring with osquery

mathstuf — Fri, 26 May 2017 10:25:13 +0000

Remote communication can require an authentication scheme first which may not have been implemented yet. If you want, couldn't you use socat and/or SSH port forwarding to access the domain socket (I assume) it is using?

System monitoring with osquery

amarao — Fri, 26 May 2017 09:37:23 +0000

I had really excited to read about it. I even has played with it in a sandbox machine for awhile.

There was one thing which I assumed to be supported: remote queries. I assumed that osqueryi (command line utility) can connect to remove osqueryd. It was so obvious to have and to do.

As far as I could see, there is not a single option which allows osqueryd to listen on TCP socket.

When I realized that this is not a 'remote SQL interface to your servers', most of my enthusiasm has faded. Yes, this thing is interesting, but it forces too much policy onto users, and it provides too few mechanisms.