osquery

The JSA DSM for osquery receives JSON formatted events from devices that use a Linux operating system. The osquery DSM is available for JSA V7.3.0 and later.

The osquery DSM supports rsyslog and the following queries that are included in the qradar.pack.conf file for osquery V3.3.2:

container_processes
docker_container_mounts
docker_containers
listening_ports
process_open_sockets
sudoers
users
file_events

The supported osquery queries run on a 10 second interval, and only capture data that is available at that moment. For example, if a new process starts and finishes between queries of container_processes, that information is not captured by osquery.

The following supported queries only capture data that is available at the 10 second querying interval:

container_processes
docker_container_mounts
docker_containers
listening_ports
process_open_sockets
sudoers
users

To integrate osquery with JSA, complete the following steps:

If automatic updates are not configured, download the most recent version of the following RPMs from the Juniper Customer Support onto your JSA console:
- DSMCommon RPM
- osquery DSM RPM
- TCP Multiline Syslog protocol RPM
- Protocol Common RPM
Ensure that the TCP port you want to use on your JSA Console to receive events is open.
Configure rsyslog on your Linux system.
Configure osquery on your Linux system.
Add an osquery log source on the JSA Console to use the TCP multiline syslog protocol.

osquery DSM Specifications

When you configure osquery, understanding the specifications for the osquery DSM can help ensure a successful integration. For example, knowing what the supported version of osquery is before you begin can help reduce frustration during the configuration process.

The following table describes the specifications for the osquery DSM:

Table 1: osquery DSM specifications

Specification	Value
DSM name	osquery
RPM file name	`DSM-osquery-JSA_version-build_number.noarch.rpm`
Supported versions	3.3.2
Protocol	Syslog TCP Multiline Syslog
Event format	JSON
Recorded event types	Access Audit Authentication System
Automatically discovered?	No
Includes identity?	No
Includes custom properties?	Yes
More information	osquery website

Configuring rsyslog on your Linux system

Before you can add a log source in JSA, you need to configure rsyslog on your Linux system.

Rsyslog must be installed on your Linux system. For more information, go to rsyslog website.

On your Linux system, open the /etc/rsyslog.conf file, and then add the following entry at the end of the file:
local3.info @@<QRadar_IP_address>:12468
where <QRadar_IP_address> is the IP address of the JSA Event Collector that you want to send events to.
You must be able to send rsyslog on a non-traditional TCP port. A potential challenge is that SELinux might block TCP port 12468.
Restart the rsyslog service.

Configuring osquery on your Linux system

Before you can add a log source in JSA, you must configure osquery on your Linux device.

Osquery V3.3.2 must be installed and running on your Linux system.

Download the qradar.pack.conf file Juniper Customer Support.
Copy the qradar.pack.conf file to your osquery host. For example, <location_of_pack_file>/qradar.pack.conf
Edit the osquery.conf file. The default file location is /etc/osquery/osquery.conf.
1. Ensure the following options are included in the osquery.conf file.
  "disable_logging": "false" "disable_events" : "false" "logger_plugin": "filesystem,syslog"
2. Add qradar.pack.conf to the osquery.conf file.
  "qradar": "/<path_to_packs>/qradar.pack.conf"
Note
The qradar.pack.conf file contains a “file_paths” section that defines default file integrity monitoring for the JSA pack. “file_paths” that are defined inside customer <osquery>.conf files take precedent over the qradar.pack.conf file.
Restart the osquery daemon

osquery log source parameters

When you add an osquery log source on the JSA Console by using the TCP multiline syslog protocol, there are specific parameters you must use.

Note

You might need to restart rsyslog after you add the log source in JSA.

The following table describes the parameters that require specific values to collect TCP multiline syslog events from osquery:

Table 2: TCP multiline syslog log source parameters for the osquery DSM

Parameter	Value
Log Source type	osquery
Protocol Configuration	TCP Multiline Syslog
Log Source Identifier	osquery
Listen Port	12468
Aggregation Method	Id-Linked
Message ID Pattern	"Unique_ID":\"(.*?)"
Event Formatter	No Formatting
Show Advanced Options	Yes
Use As A Gateway Log Source	Select this option. When selected, events that flow through the log source can be routed to other log sources based on the source name tagged on the events.
Retain Entire Lines During Event Aggregation	Select this option. When this option is selected, you can either discard or keep the part of the events that come before Message IDPattern when you concatenate events with the same ID pattern together.
Time Limit	5
Enabled	Select this option to enable the log source.

Sample event message

Use this sample event message as a way of verifying a successful integration with JSA.

The following table provides a sample event message when using the TCP multiline syslog protocol for the osquery DSM:

Table 3: osquery DSM sample message supported by osquery

Event name	Low-level category	Sample log message
User Added	User Account Added	<158>Sep 23 08:48:48 osquery.test osqueryd [16768]: {"name":"pack _qradar_users","hostIdentifier ":"osquery.test.localdomain"," calendarTime":"Mon Sep 23 12:48:48 2019 UTC","unixTime ":1569242928,"epoch" :0,"counter":21041,"decorations":{"host_uuid":"dd4b2 142-1fa2-e1cd-c755-6bfb3cc33b55" ,"last_logged_in_use r":"root", "username":"root"},"columns": {"Unique_ID": "1030-","description ":"","directory":"/home/username 6001","gid":"1030","gid_signed ":"1030","query_name": "users","shell":"/bin/bash", "uid":"1030","uid_signed ":"1030", "username":"username6001","uuid":"" },"actio n":"added"}