Using Osquery with Graylog

Hi All,

I was just wondering if this was possible.

  1. We install osquery on endpoints
  2. We use Filebeat to monitor the osquery results file. Each time an automated query is undertaken then file beat ships the results in JSON form to Graylog.
  3. On the Graylog side, we use the ‘Elastic Beats Input Plugin’ to provide inputs for filebeat data from Osquery?

Am I missing something?

Cheers

Jake

@Magneton you could add a json extractor to create single fields out of the message to be able to search more efficient.

Ok cool, thanks for the information.

I will check it out soon.

Cheers

Jake

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.