The most recent osquery development required for zeek-osquery is currently located in the osquery fork by iBigQ. It is based on osquery version 3.3.0 and is upgraded to the latest osquery version when possible.
git clone --recursive https://github.com/iBigQ/osquery
cd osquery
make deps
./tools/provision.sh install osquery/osquery-local/caf
./tools/provision.sh install osquery/osquery-local/broker
SKIP_BRO=False make && sudo make install
This installation includes the latest development version of the communication library Broker that comes with e.g. SSL support.
Optionally, please see the official osquery documentation on how to install osquery daemon as a service.
You can specify the configuration options required for zeek-osquery either on the command line or in the configuration file of osquery. Optionally, please see the official osquery documentation on how to write the configuration file. Possible options are as follows:
{
"options": {
"disable_distributed": "false",
"distributed_interval": "0",
"distributed_plugin": "bro",
"bro_ip": "192.168.137.1",
"bro_port": "9999",
"bro_groups": {
"group1": "geo/de/hamburg",
"group2": "orga/uhh/cs/iss"
},
"logger_plugin": "bro",
"log_result_events": "false",
"disable_events": "0",
"disable_audit": "0",
"audit_persist": "1",
"audit_allow_config": "1",
"audit_allow_sockets": "1"
}
}
Build Zeek version 2.6.4 from source to include a particular Broker version.
git clone --recursive https://github.com/zeek/zeek --branch v2.6.4
cd zeek
./configure && make && sudo make install
The Zeek scripts have to be extended to be able to talk to osquery hosts. Please find the scripts in the zeek-osquery repository repository in the folder named osquery
.
To make the scripts available in Zeek, either copy/link this folder into $PREFIX/share/bro/site (see Zeek manual) or make the environment variable BROPATH to point to the framework folder (see Zeek manual).
Alternatively, use the bro package manager and configure the custom package source https://github.com/ibigq/zeek-osquery-packages
to install the respective zeek-osquery packages.