Osquery log flow and rules

[theflakes]

Hello,

I'm starting to work on using Osquery for automating hunts and then having the logs it produces inspected via rules somehow. Initially looking at using Elastalert.

When I run a query via Fleet I get results in that web Gui but I cannot see the logs in Kibana. I've looked at how logs flow from Osquery to Kibana but coming up empty. I do see some Osquery logs in Kibana but no logs generated by my queries. Not seeing any of my queries' logs in /nsm/osquery/fleet/result.log.

I feel like I'm missing something simple, and I apologize if I am. This is the first time I've worked with Osquery in quite some time.

thanks for any help

[dougburks]

What Security Onion version are you running?

[theflakes]

Running latest version, 2.3.250-20230519. What we hope to do is expand Osquery in SO to automate cataloging persistence mechanisms. Then wrapping automated hunts around that telemetry via rules. Then publish that back to you all if you find it useful. It's a student driven research project.

[theflakes]

If it helps, we are running in a virtual environment with SO installed as standalone with Internet access. We have Wazuh, osquery agent, and I also installed Winlogbeats on one of our Win10 client VMs. Agents downloaded from the SO download web GUI.

[defensivedepth]

Live Queries only show up in the FleetDM Web interface. Scheduled query results will be stored in Elasticsearch & available to view via Hunt or Kibana.

With the upcoming 2.4 release, both Live Query results & scheduled query results will be viewable in Hunt.

[Jtl1e]

Can you provide information on how the query will be displayed in Hunt/Kibana? I'm having difficulty locating them within it, and I believe it may be due to my own lack of knowledge at this point.

After conducting a manual scan in Fleet, the attached picture illustrates the information I received. However, I am uncertain about locating the corresponding information in Hunt/Kibana when I have the same scan running as a scheduled scan.