Knowledge BaseCommunityRelease NotesRequest Demo

Osquery Logs

Connecting Osquery logs to your Panther Console

Overview

Panther supports ingesting Osquery logs via common Data Transport options: HTTP Source, Amazon Web Services (AWS) S3, SQS, and CloudWatch.

How to onboard Osquery logs to Panther

To connect these logs into Panther:

  1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click Create New.

  3. Search for "Osquery," then click its tile.

  4. In the slide-out panel, select the Transport Mechanism you wish to use for this integration.

  5. Click Start Setup.

  6. Follow Panther's instructions for configuring your chosen Data Transport method:

  7. Configure Osquery to push logs to the Data Transport source.

    • See Osquery's documentation for instructions on pushing logs to your selected Data Transport source.

Panther-Built Detections

See Panther's built in rules for Osquery in panther-analysis in Github.

Supported log types

Required fields in all tables are in bold.

Osquery.Batch

Batch contains all the data included in Osquery batch logs.

Reference: Osquery Documentation on Logging. (scroll to Batch format section)

Column

Type

Description

calendarTime

timestamp

The time of the event (UTC).

counter

bigint

Counter

decorations

{ string:string }

Decorations

diffResults

{ "added":[{ string:string }], "removed":[{ string:string }] }

Computed differences.

epoch

bigint

Epoch

hostname

string

Hostname

name

string

Name

unixTime

bigint

Unix epoch

p_log_type

string

Panther added field with type of log

p_row_id

string

Panther added field with unique id (within table)

p_event_time

timestamp

Panther added standardize event time (UTC)

p_parse_time

timestamp

Panther added standardize log parse time (UTC)

p_source_id

string

Panther added field with the source id

p_source_label

string

Panther added field with the source label

p_any_ip_addresses

[string]

Panther added field with collection of ip addresses associated with the row

p_any_domain_names

[string]

Panther added field with collection of domain names associated with the row

p_any_sha1_hashes

[string]

Panther added field with collection of SHA1 hashes associated with the row

p_any_md5_hashes

[string]

Panther added field with collection of MD5 hashes associated with the row

p_any_sha256_hashes

[string]

Panther added field with collection of SHA256 hashes of any algorithm associated with the row

Osquery.Differential

Differential contains all the data included in Osquery differential logs.

Reference: Osquery Documentation on Logging. (scroll to Differential logs section)

Column

Type

Description

action

string

Action

calendarTime

timestamp

The time of the event (UTC).

columns

{ string:string }

Columns

counter

bigint

Counter

decorations

{ string:string }

Decorations

epoch

bigint

Epoch

hostIdentifier

string

HostIdentifier

logType

string

LogType

log_type

string

LogUnderscoreType

name

string

Name

unixTime

bigint

UnixTime

logNumericsAsNumbers

boolean

LogNumericsAsNumbers

p_log_type

string

Panther added field with type of log

p_row_id

string

Panther added field with unique id (within table)

p_event_time

timestamp

Panther added standardize event time (UTC)

p_parse_time

timestamp

Panther added standardize log parse time (UTC)

p_source_id

string

Panther added field with the source id

p_source_label

string

Panther added field with the source label

p_any_ip_addresses

[string]

Panther added field with collection of ip addresses associated with the row

p_any_domain_names

[string]

Panther added field with collection of domain names associated with the row

p_any_sha1_hashes

[string]

Panther added field with collection of SHA1 hashes associated with the row

p_any_md5_hashes

[string]

Panther added field with collection of MD5 hashes associated with the row

p_any_sha256_hashes

[string]

Panther added field with collection of SHA256 hashes of any algorithm associated with the row

Osquery.Snapshot

Snapshot contains all the data included in Osquery differential logs.

Reference: Osquery Documentation on Logging. (scroll to Snapshot logs section)

Column

Type

Description

action

string

Action

calendarTime

timestamp

The time of the event (UTC).

counter

bigint

Counter

decorations

{ string:string }

Decorations

epoch

bigint

Epoch

hostIdentifier

string

HostIdentifier

name

string

Name

snapshot

[{ string:string }]

Snapshot

unixTime

bigint

UnixTime

p_log_type

string

Panther added field with type of log

p_row_id

string

Panther added field with unique id (within table)

p_event_time

timestamp

Panther added standardize event time (UTC)

p_parse_time

timestamp

Panther added standardize log parse time (UTC)

p_source_id

string

Panther added field with the source id

p_source_label

string

Panther added field with the source label

p_any_ip_addresses

[string]

Panther added field with collection of ip addresses associated with the row

p_any_domain_names

[string]

Panther added field with collection of domain names associated with the row

p_any_sha1_hashes

[string]

Panther added field with collection of SHA1 hashes associated with the row

p_any_md5_hashes

[string]

Panther added field with collection of MD5 hashes associated with the row

p_any_sha256_hashes

[string]

Panther added field with collection of SHA256 hashes of any algorithm associated with the row

Osquery.Status

Status is a diagnostic osquery log about the daemon.

Reference: Osquery Documentation on Logging. (scroll to Status logs section)

Column

Type

Description

calendarTime

timestamp

The time of the event (UTC).

decorations

{ string:string }

Decorations

filename

string

Filename

hostIdentifier

string

HostIdentifier

line

bigint

Line

logType

string

LogType

log_type

string

LogUnderScoreType

message

string

Message

severity

bigint

Severity

unixTime

bigint

UnixTime

version

string

Version

p_log_type

string

Panther added field with type of log

p_row_id

string

Panther added field with unique id (within table)

p_event_time

timestamp

Panther added standardize event time (UTC)

p_parse_time

timestamp

Panther added standardize log parse time (UTC)

p_source_id

string

Panther added field with the source id

p_source_label

string

Panther added field with the source label

p_any_ip_addresses

[string]

Panther added field with collection of ip addresses associated with the row

p_any_domain_names

[string]

Panther added field with collection of domain names associated with the row

p_any_sha1_hashes

[string]

Panther added field with collection of SHA1 hashes associated with the row

p_any_md5_hashes

[string]

Panther added field with collection of MD5 hashes associated with the row

p_any_sha256_hashes

[string]

Panther added field with collection of SHA256 hashes of any algorithm associated with the row

PreviousOneLogin LogsNextOSSEC Logs

Last updated

Was this helpful?

#1935: [1.78] Add filtering section

Change request updated