rtacconi · June 7, 2017 11:29
diff --git a/gistfile1.txt b/gistfile1.txt
 {
  // Configure the daemon below:
  "options": {
    "host_identifier": "scw-xxxxxxx",
    "config_plugin": "filesystem",
    // Select the osquery logging plugin.
    "logger_plugin": "aws_kinesis",
    "enable_monitor": "true",

    // Splay the scheduled interval for queries.
    // This is very helpful to prevent system performance impact when scheduling
    // large numbers of queries that run a smaller or similar intervals.
    "schedule_splay_percent": "10",

    // Write the pid of the osqueryd process to a pidfile/mutex.
    //"pidfile": "/var/osquery/osquery.pidfile",

    // Clear events from the osquery backing store after a number of seconds.
    "events_expiry": "3600",

    // Comma-delimited list of table names to be disabled.
    // This allows osquery to be launched without certain tables.
    //"disable_tables": "foo_bar,time",

    // Enable debug or verbose debug output when logging.
    "verbose": "true",

    "disable_logging": "false",
    "enable_syslog": "true",

    // Kinesis
    "aws_kinesis_stream": "kinesis_logs_stream",
    "aws_access_key_id": "XXXXXXXXXXXXXXXX",
    "aws_secret_access_key": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "aws_region": "eu-west-1",
    "aws_kinesis_period": "10"
  },

  "schedule": {
    "syslog": {
      // "query": "SELECT * FROM syslog WHERE tag LIKE '%sshd%';",
      "query": "SELECT * FROM syslog;",
      "interval": 10
    },
    "etc_hosts": {
      "query": "select * from etc_hosts;",
      "interval": 10
    }
  },

  // Decorators are normal queries that append data to every query.
  "decorators": {
    "load": [
      "SELECT uuid AS host_uuid FROM system_info;",
      "SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
    ]
  },

  // Add default osquery packs or install your own.
  //
  // There are several 'default' packs installed with 'make install' or via
  // packages and/or Homebrew.
  //
  // Linux:        /usr/share/osquery/packs
  // OS X:         /var/osquery/packs
  // Homebrew:     /usr/local/share/osquery/packs
  // make install: {PREFIX}/share/osquery/packs
  //
  "packs": {
    "osquery-monitoring": "/usr/share/osquery/packs/osquery-monitoring.conf"
    // "incident-response": "/usr/share/osquery/packs/incident-response.conf",
    // "it-compliance": "/usr/share/osquery/packs/it-compliance.conf",
    // "osx-attacks": "/usr/share/osquery/packs/osx-attacks.conf",
    // "vuln-management": "/usr/share/osquery/packs/vuln-management.conf",
    // "hardware-monitoring": "/usr/share/osquery/packs/hardware-monitoring.conf"
  }
 }
	{
	// Configure the daemon below:
	"options": {
	"host_identifier": "scw-xxxxxxx",
	"config_plugin": "filesystem",
	// Select the osquery logging plugin.
	"logger_plugin": "aws_kinesis",
	"enable_monitor": "true",

	// Splay the scheduled interval for queries.
	// This is very helpful to prevent system performance impact when scheduling
	// large numbers of queries that run a smaller or similar intervals.
	"schedule_splay_percent": "10",

	// Write the pid of the osqueryd process to a pidfile/mutex.
	//"pidfile": "/var/osquery/osquery.pidfile",

	// Clear events from the osquery backing store after a number of seconds.
	"events_expiry": "3600",

	// Comma-delimited list of table names to be disabled.
	// This allows osquery to be launched without certain tables.
	//"disable_tables": "foo_bar,time",

	// Enable debug or verbose debug output when logging.
	"verbose": "true",

	"disable_logging": "false",
	"enable_syslog": "true",

	// Kinesis
	"aws_kinesis_stream": "kinesis_logs_stream",
	"aws_access_key_id": "XXXXXXXXXXXXXXXX",
	"aws_secret_access_key": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
	"aws_region": "eu-west-1",
	"aws_kinesis_period": "10"
	},

	"schedule": {
	"syslog": {
	// "query": "SELECT * FROM syslog WHERE tag LIKE '%sshd%';",
	"query": "SELECT * FROM syslog;",
	"interval": 10
	},
	"etc_hosts": {
	"query": "select * from etc_hosts;",
	"interval": 10
	}
	},

	// Decorators are normal queries that append data to every query.
	"decorators": {
	"load": [
	"SELECT uuid AS host_uuid FROM system_info;",
	"SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
	]
	},

	// Add default osquery packs or install your own.
	//
	// There are several 'default' packs installed with 'make install' or via
	// packages and/or Homebrew.
	//
	// Linux: /usr/share/osquery/packs
	// OS X: /var/osquery/packs
	// Homebrew: /usr/local/share/osquery/packs
	// make install: {PREFIX}/share/osquery/packs
	//
	"packs": {
	"osquery-monitoring": "/usr/share/osquery/packs/osquery-monitoring.conf"
	// "incident-response": "/usr/share/osquery/packs/incident-response.conf",
	// "it-compliance": "/usr/share/osquery/packs/it-compliance.conf",
	// "osx-attacks": "/usr/share/osquery/packs/osx-attacks.conf",
	// "vuln-management": "/usr/share/osquery/packs/vuln-management.conf",
	// "hardware-monitoring": "/usr/share/osquery/packs/hardware-monitoring.conf"
	}
	}