Installation

Osquery is the heart of easySIEM. It needs to be installed on machines to be identified. The first step must be to install osquery on the entire fleet in order to utilize the platform efficiently.

DOWNLOAD_URL

Get download URL from Configuration Section in the dashboard.

Double tap the disabled input box to select and copy.

Debian

Installation Using APT

export OSQUERY_KEY=1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys $OSQUERY_KEY
sudo add-apt-repository 'deb [arch=amd64] https://pkg.osquery.io/deb deb main'
sudo apt-get update
sudo apt-get install osquery python3 python3-pip
sudo pip3 install osquery
curl -o osquery_files.zip "$DOWNLOAD_URL"
sudo unzip -o osquery_files.zip -d /etc/osquery
sudo chmod 711 -R /etc/osquery/extensions/
sudo systemctl enable osqueryd
sudo service osqueryd restart

RPM

Installation using yum

sudo yum-config-manager --add-repo https://pkg.osquery.io/rpm/osquery-s3-rpm.repo
sudo yum-config-manager --enable osquery-s3-rpm
sudo yum install osquery python3 python3-pip
sudo pip3 install osquery
curl -o osquery_files.zip "DOWNLOAD_URL"
sudo unzip osquery_files.zip -d /etc/osquery
sudo systemctl enable osqueryd
sudo service osqueryd restart

MAC

Installation using brew

brew update
brew install osquery
#Install osquery using pip for extensions
sudo pip install osquery
curl -o osquery_files.zip "$DOWNLOAD_URL"
sudo unip osquery_files.zip -d /private/var/osquery
sudo cp /var/osquery/com.facebook.osqueryd.plist /Library/LaunchDaemons/
sudo launchctl load /Library/LaunchDaemons/com.facebook.osqueryd.plist
sudo launchctl start /Library/LaunchDaemons/com.facebook.osqueryd.plist

Installation using pkg installer

Download pkg from official downloads page https://osquery.io/downloads/official/4.3.0

Post-installation steps

sudo cp /var/osquery/osquery.example.conf /var/osquery/osquery.conf
sudo cp /var/osquery/com.facebook.osqueryd.plist /Library/LaunchDaemons/
sudo launchctl load /Library/LaunchDaemons/com.facebook.osqueryd.plist
sudo launchctl start /Library/LaunchDaemons/com.facebook.osqueryd.plist

WINDOWS

A. Installation using choco

choco install osquery --params='/InstallService'

B. Installation using MSI

Download and install official .msi package installer from (https://osquery.io/downloads/official/4.3.0)

After Installation -

Download flag file,secret, from DOWNLOAD_WINDOWS_URL and unzip it at C:\ProgramData\osquery\

Open Powershell as admin

Start-Service osqueryd

On CMD.exe

sc.exe stop osqueryd
sc.exe start osqueryd

Windows event log

  • Install: .\manage-osqueryd.ps1 -installWelManifest

  • Uninstall: .\manage-osqueryd.ps1 -uninstallWelManifest

Resources