Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New component: osquery #30375

Closed
2 tasks
smithclay opened this issue Jan 9, 2024 · 9 comments
Closed
2 tasks

New component: osquery #30375

smithclay opened this issue Jan 9, 2024 · 9 comments
Labels

Comments

@smithclay
Copy link
Contributor

smithclay commented Jan 9, 2024

The purpose and use-cases of the new component

osquery is a popular open-source Linux Foundation project that allows system administrators to query information about their systems using a SQL-like language.

As a collector receiver for logs, it allows users to extract detailed information about their Linux, macOS, or Windows systems like running processes, certificates, or disks on a predefined schedule. This receiver is particularly helpful for using the collector for security and compliance use-cases.

Example configuration for the component

osquery:
  collection_internal: 10s
  extensions_socket: /var/osquery/osquery.em
  queries:
    - "select * from certificates"
    - "select * from block_devices"

Telemetry data types supported

logs

Is this a vendor-specific component?

  • This is a vendor-specific component
  • If this is a vendor-specific component, I am proposing to contribute and support it as a representative of the vendor.

Code Owner(s)

@smithclay

Sponsor (optional)

@codeboten

Additional context

No response

@smithclay smithclay added needs triage New item requiring triage Sponsor Needed New component seeking sponsor labels Jan 9, 2024
@codeboten
Copy link
Contributor

Thanks for submitting this @smithclay, curious how using this as a separate receiver would compare to using osquery with something like a syslog logger plugin combined with the syslogreceiver for example

@smithclay
Copy link
Contributor Author

Thanks for submitting this @smithclay, curious how using this as a separate receiver would compare to using osquery with something like a syslog logger plugin combined with the syslogreceiver for example

The main benefit is giving collector users flexibility to issue one-off queries (at arbitrary intervals) without having to edit the system's config file for osqueryd. It also centralizes, in a collector's config, gathering metrics about a resource (like disk IO) and detailed information (like disk serial number) about those same resources.

More medium-term: remote configuration via opAMP opens up even more security and compliance use-cases if this is a collector receiver. For example, gathering more detailed metrics, logs (via osquery), and traces for a particular server after it is impacted by a security incident.

@codeboten codeboten added Accepted Component New component has been sponsored and removed Sponsor Needed New component seeking sponsor needs triage New item requiring triage labels Jan 10, 2024
@codeboten
Copy link
Contributor

thanks for clarifying @smithclay! do you have a sample output you expect to see from osquery?

@smithclay
Copy link
Contributor Author

thanks for clarifying @smithclay! do you have a sample output you expect to see from osquery?

Here's example output for disk devices (one of 100+ different data sources), idea is this would turn into two log lines with the columns being resource attributes:
image

codeboten pushed a commit that referenced this issue Jan 16, 2024
This change adds the skeleton for the
[osquery](https://osquery.io/) receiver, a new log receiver that pulls
structured system data from the [osquery
daemon](https://github.com/osquery/osquery).

**Link to tracking Issue:** #30375

**Testing:** Skeleton unit tests added.

**Documentation:** See README.md in receiver folder. For osquery
documentation, see [here](https://osquery.readthedocs.io/en/stable/).
cparkins pushed a commit to AmadeusITGroup/opentelemetry-collector-contrib that referenced this issue Feb 1, 2024
…try#30458)

This change adds the skeleton for the
[osquery](https://osquery.io/) receiver, a new log receiver that pulls
structured system data from the [osquery
daemon](https://github.com/osquery/osquery).

**Link to tracking Issue:** open-telemetry#30375

**Testing:** Skeleton unit tests added.

**Documentation:** See README.md in receiver folder. For osquery
documentation, see [here](https://osquery.readthedocs.io/en/stable/).
Copy link
Contributor

This issue has been inactive for 60 days. It will be closed in 60 days if there is no activity. To ping code owners by adding a component label, see Adding Labels via Comments, or if you are unsure of which component this issue relates to, please ping @open-telemetry/collector-contrib-triagers. If this issue is still relevant, please ping the code owners or leave a comment explaining why it is still relevant. Otherwise, please close it.

@github-actions github-actions bot added the Stale label Mar 12, 2024
@smithclay
Copy link
Contributor Author

Hey, will be getting back to this next week :)

Copy link
Contributor

This issue has been inactive for 60 days. It will be closed in 60 days if there is no activity. To ping code owners by adding a component label, see Adding Labels via Comments, or if you are unsure of which component this issue relates to, please ping @open-telemetry/collector-contrib-triagers. If this issue is still relevant, please ping the code owners or leave a comment explaining why it is still relevant. Otherwise, please close it.

@github-actions github-actions bot added the Stale label May 15, 2024
Copy link
Contributor

This issue has been closed as inactive because it has been stale for 120 days with no activity.

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Jul 14, 2024
@smaddock
Copy link

Why was this abandoned?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants