//hOST MACHINE configuraTION" {
"options": { "distributed_plugin": "tls", "distributed_interval": "3600", "enroll_tls_endpoint" : "https://10.182.2.142/enroll", "tls_server_certs": "/opt/osquery/share/osquery/certs/certs.pem" "tls_hostname": "SERVER_IP", "config_plugin": "filesystem", "logger_plugin": "filesystem", } }
//Server machine configuration
{
"options": { "distributed_server": "true", "distributed_plugin": "tls", "distributed_interval": "3600", "tls_server_certs": "/opt/osquery/share/osquery/certs/certs.pem" } }
Is my configuration file setting correct?
I am not getting any result log in my server machine. error: W1011 15:57:15.580679 1397964 init.cpp:760] Error reading config: Error parsing the config JSON I1011 15:57:15.580854 1397964 eventfactory.cpp:156] Event publisher not enabled: BPFEventPublisher: Publisher disabled via configuration I1011 15:57:15.581048 1397964 eventfactory.cpp:156] Event publisher not enabled: auditeventpublisher: Publisher disabled via configuration I1011 15:57:15.581076 1397964 eventfactory.cpp:156] Event publisher not enabled: inotify: Publisher disabled via configuration I1011 15:57:15.581100 1397964 eventfactory.cpp:156] Event publisher not enabled: syslog: Publisher disabled via configuration
I tried to send query from host machine to server machine. And want to get all live process data of host machine
What software are you using as a server?
Osquery itself does is not a central server. You will need to look at the documentation for your central server software to understand how to configure osquery with it.
Some documentation about what kind of API osquery expects can be found at https://osquery.readthedocs.io/en/latest/deployment/remote/