Role Detail

apolloclark.osquery

Install and configure osquery
Downloads
19
Type Ansible
Minimum Ansible Version 2.2
Installation $ ansible-galaxy install apolloclark.osquery
Tags
devopssec
facebook
logging
metrics
monitoring
osquery
security
Last Commit
Last Imported
OS Platforms
Platform Version
Debian etch
Debian jessie
Debian lenny
Debian sid
Debian squeeze
Debian stretch
Debian wheezy
Ubuntu artful
Ubuntu lucid
Ubuntu maverick
Ubuntu natty
Ubuntu oneiric
Ubuntu precise
Ubuntu quantal
Ubuntu raring
Ubuntu saucy
Ubuntu trusty
Ubuntu utopic
Ubuntu vivid
Ubuntu wily
Ubuntu xenial
Ubuntu yakkety
Ubuntu zesty
Last 10 Imports
Completed Status
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS

Ansible Role: osquery

Ansible Role to install and configure osquery for Ubuntu.

Requirements

None.

Role Variables

Available variables are listed below, along with default values (see defaults/main.yml). You can overload these values by creating an dictionary called "osquery".

Set the osquery deamon name.

daemon: "osqueryd"

Set the location of the config directory.

config_include_dir: "/etc/osquery"

Configure the plugin type. doc

config_plugin: "filesystem"

Configure the logger plugin. doc

logger_plugin: "filesystem"

Configure the logger directory.

logger_path: "/var/log/osquery"

Disable INFO, WARN, and ERROR logs. This will still write results.

disable_logging: "false"

Splay the scheduled interval for queries.

schedule_splay_percent: 10

Write the pid of the osqueryd process to a pidfile/mutex.

pidfile: "/var/osquery/osquery.pidfile"

Clear events from the osquery backing store after a number of seconds.

events_expiry: 3600

A filesystem path for disk-based backing storage used for events and query results.

database_path: "/var/osquery/osquery.db"

Comma-delimited list of table names to be disabled.

disable_tables: ""

Enable debug or verbose debug output when logging.

verbose "true"

Maximum file read size.

read_max: 100000

Maximum number of events per type to buffer.

events_max: 100000

Enable the schedule monitor.

enable_monitor: "true"

Host running osquery (hostname, uuid).

host_identifier: "hostname"

Dependencies

None.

Example Playbook

- hosts: all
  roles:
    - apolloclark.osquery

License

MIT / BSD

Author Information

This role was created in 2017 by Apollo Clark

None