如何根据osquery.conf文件中的计划事件分隔日志？

Question

可以打开osquery的结果日志吗？目前，每个查询都集中在osqueryd.results.log中，但我想根据预定的事件来划分日志。我如何才能做到这一点？

示例：

 {
  "options": {
    "config_plugin": "filesystem",
    "logger_plugin": "filesystem",
    "host_identifier": "hostname",
    "utc": "true"
  },
  "schedule": {
    "crontab": {
      "query": "SELECT * FROM crontab;",
      "interval": 100000,
      +"logger_path": "/var/log/osquery/crontab.log"

    },
    "file_events": {
      "query": "SELECT * FROM file_events;",
      "removed": false,
      "interval": 10,
      +"logger_path": "/var/log/osquery/file_events.log"
    }
  },
  "file_paths": {
    "homes": [
      "/home/%/.ssh/%%"
    ],
    "etc": [
      "/etc/%%"
    ]
  },
  "exclude_paths": {
    "resolv.conf.*": [
      "/etc/resolv.conf.%"
    ]
  },
  "decorators": {
    "load": [
      "SELECT uuid AS host_uuid FROM system_info;",
      "SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
    ]
  }
}

Answer 1

osquery中不存在此功能。

您有几个选项：

1)日志是否被送入日志记录管道？您可以在该管道中将它们拆分。

2)使用osquery工程打开feature request。不能保证将会实现什么，但这是一个开始讨论的好方法。