Osquery Logs
Connecting Osquery logs to your Panther Console
Panther supports ingesting Osquery logs via common Data Transport options: HTTP Source, Amazon Web Services (AWS) S3, SQS, and CloudWatch.
To connect these logs into Panther:
- 1.In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
- 2.Click Create New.
- 3.Search for "Osquery," then click its tile.
- 4.In the slide-out panel, select the Transport Mechanism you wish to use for this integration.
- 5.Click Start Setup.
- 6.Follow Panther's instructions for configuring your chosen Data Transport method:
- 7.Configure Osquery to push logs to the Data Transport source.
- See Osquery's documentation for instructions on pushing logs to your selected Data Transport source.
Batch contains all the data included in Osquery batch logs.
schema: Osquery.Batch
description: Batch contains all the data included in OsQuery batch logs
referenceURL: https://osquery.readthedocs.io/en/stable/deployment/logging/
fields:
- name: calendarTime
required: true
description: The time of the event (UTC).
type: timestamp
timeFormats:
- '%a %b %d %H:%M:%S %Y %Z'
- '%a %b %d %H:%M:%S %Y %Z'
isEventTime: true
- name: counter
required: true
description: '''counter'' can be used to identify if the added records are all records from initial query of if they are new records. For initial query results that includes all records counter will be ''0'''
type: bigint
- name: decorations
description: Decorations
type: json
- name: diffResults
required: true
description: Computed differences.
type: object
fields:
- name: added
description: Added field
type: array
element:
type: json
- name: removed
description: Removed field
type: array
element:
type: json
- name: epoch
required: true
description: Epoch. When 'epoch' changes, counter will be reset back to 0.
type: bigint
- name: hostname
required: true
description: Hostname
type: string
indicators:
- hostname
- name: name
required: true
description: Name
type: string
- name: unixTime
required: true
description: Unix epoch
type: bigint
Differential contains all the data included in Osquery differential logs.
schema: Osquery.Differential
description: Differential contains all the data included in OsQuery differential logs
referenceURL: https://osquery.readthedocs.io/en/stable/deployment/logging/
fields:
- name: action
required: true
description: Action is the type of the event
type: string
- name: calendarTime
required: true
description: The time of the event (UTC).
type: timestamp
timeFormats:
- '%a %b %d %H:%M:%S %Y %Z'
- '%a %b %d %H:%M:%S %Y %Z'
isEventTime: true
- name: columns
required: true
description: Columns
type: json
- name: counter
description: '''counter'' can be used to identify if the added records are all records from initial query of if they are new records. For initial query results that includes all records counter will be ''0'''
type: bigint
- name: decorations
description: Decorations
type: json
- name: epoch
required: true
description: Epoch. When 'epoch' changes, counter will be reset back to 0.
type: bigint
- name: hostIdentifier
required: true
description: HostIdentifier
type: string
indicators:
- hostname
- name: logType
description: LogType
type: string
- name: log_type
description: LogUnderscoreType
type: string
- name: name
required: true
description: Name
type: string
- name: unixTime
required: true
description: UnixTime
type: bigint
- name: logNumericsAsNumbers
description: LogNumericsAsNumbers
type: boolean
Snapshot contains all the data included in Osquery differential logs.
schema: Osquery.Snapshot
description: Snapshot contains all the data included in OsQuery differential logs
referenceURL: https://osquery.readthedocs.io/en/stable/deployment/logging/
fields:
- name: calendarTime
required: true
description: The time of the event (UTC).
type: timestamp
timeFormats:
- '%a %b %d %H:%M:%S %Y %Z'
- '%a %b %d %H:%M:%S %Y %Z'
isEventTime: true
- name: unixTime
required: true
description: UnixTime
type: bigint
- name: action
required: true
description: Action is the type of the event
type: string
- name: counter
required: true
description: '''counter'' can be used to identify if the added records are all records from initial query of if they are new records. For initial query results that includes all records counter will be ''0'''
type: bigint
- name: decorations
description: Decorations
type: json
- name: epoch
required: true
description: Epoch. When 'epoch' changes, counter will be reset back to 0.
type: bigint
- name: hostIdentifier
required: true
description: HostIdentifier. By default it's the hostname'
type: string
indicators:
- domain
- name: name
required: true
description: Name
type: string
- name: snapshot
description: Snapshot
type: array
element:
type: json
Status is a diagnostic osquery log about the daemon.
schema: Osquery.Status
description: Status is a diagnostic osquery log about the daemon.
referenceURL: https://osquery.readthedocs.io/en/stable/deployment/logging/
fields:
- name: calendarTime
required: true
description: The time of the event (UTC).
type: timestamp
timeFormats:
- '%a %b %d %H:%M:%S %Y %Z'
- '%a %b %d %H:%M:%S %Y %Z'
isEventTime: true
- name: decorations
description: Decorations
type: json
- name: filename
required: true
description: Filename
type: string
- name: hostIdentifier
required: true
description: HostIdentifier
type: string
indicators:
- domain
- name: line
required: true
description: Line
type: bigint
- name: logType
description: LogType
type: string
- name: log_type
description: LogUnderScoreType
type: string
- name: message
description: Message
type: string
- name: severity
required: true
description: Severity
type: bigint
- name: unixTime
required: true
description: UnixTime
type: bigint
- name: version
required: true
description: Version
type: string
Last modified 24d ago