The JSA DSM for osquery receives JSON formatted events from devices that use a Linux operating system. The osquery DSM is available for JSA V7.3.0 and later.
The osquery DSM supports rsyslog and the following queries that are included in the qradar.pack.conf file for osquery V3.3.2:
The supported osquery queries run on a 10 second interval, and only capture data that is available at that moment. For example, if a new process starts and finishes between queries of container_processes, that information is not captured by osquery.
The following supported queries only capture data that is available at the 10 second querying interval:
To integrate osquery with JSA, complete the following steps:
If automatic updates are not configured, download the most recent version of the following RPMs from the Juniper Customer Support onto your JSA console:
osquery DSM RPM
TCP Multiline Syslog protocol RPM
Protocol Common RPM
Ensure that the TCP port you want to use on your JSA Console to receive events is open.
Configure rsyslog on your Linux system.
Configure osquery on your Linux system.
Add an osquery log source on the JSA Console to use the TCP multiline syslog protocol.
osquery DSM Specifications
When you configure osquery, understanding the specifications for the osquery DSM can help ensure a successful integration. For example, knowing what the supported version of osquery is before you begin can help reduce frustration during the configuration process.
The following table describes the specifications for the osquery DSM:
Table 1: osquery DSM specifications
RPM file name
TCP Multiline Syslog
Recorded event types
Access Audit Authentication System
Includes custom properties?
Configuring rsyslog on your Linux system
Before you can add a log source in JSA, you need to configure rsyslog on your Linux system.
Rsyslog must be installed on your Linux system. For more information, go to rsyslog website.
- On your Linux system, open the /etc/rsyslog.conf file,
and then add the following entry at the end of the file:
where <QRadar_IP_address> is the IP address of the JSA Event Collector that you want to send events to.
- You must be able to send rsyslog on a non-traditional TCP port. A potential challenge is that SELinux might block TCP port 12468.
- Restart the rsyslog service.
Configuring osquery on your Linux system
Before you can add a log source in JSA, you must configure osquery on your Linux device.
Osquery V3.3.2 must be installed and running on your Linux system.
- Download the qradar.pack.conf file Juniper Customer Support.
- Copy the qradar.pack.conf file to your osquery host. For
- Edit the
osquery.conffile. The default file location is
Ensure the following options are included in the
"disable_logging": "false" "disable_events" : "false" "logger_plugin": "filesystem,syslog"
qradar.pack.conffile contains a “file_paths” section that defines default file integrity monitoring for the JSA pack. “file_paths” that are defined inside customer
<osquery>.conf files take precedent over the
- Restart the osquery daemon
osquery log source parameters
When you add an osquery log source on the JSA Console by using the TCP multiline syslog protocol, there are specific parameters you must use.
You might need to restart rsyslog after you add the log source in JSA.
The following table describes the parameters that require specific values to collect TCP multiline syslog events from osquery:
Table 2: TCP multiline syslog log source parameters for the osquery DSM
Log Source type
TCP Multiline Syslog
Log Source Identifier
Message ID Pattern
Show Advanced Options
Use As A Gateway Log Source
Select this option.
When selected, events that flow through the log source can be routed to other log sources based on the source name tagged on the events.
Retain Entire Lines During Event Aggregation
Select this option.
When this option is selected, you can either discard or keep the part of the events that come before Message IDPattern when you concatenate events with the same ID pattern together.
Select this option to enable the log source.
Sample event message
Use this sample event message as a way of verifying a successful integration with JSA.
The following table provides a sample event message when using the TCP multiline syslog protocol for the osquery DSM:
Table 3: osquery DSM sample message supported by osquery
Sample log message
User Account Added