Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/jandre/brosquery

module for osquery to load Bro logs into tables
https://github.com/jandre/brosquery

Last synced: 19 days ago
JSON representation

module for osquery to load Bro logs into tables

Host: GitHub
URL: https://github.com/jandre/brosquery
Owner: jandre
License: mit
Created: 2015-04-27T00:08:27.000Z (over 9 years ago)
Default Branch: master
Last Pushed: 2015-04-28T14:19:57.000Z (over 9 years ago)
Last Synced: 2024-08-01T08:09:11.429Z (4 months ago)
Language: C++
Homepage:
Size: 531 KB
Stars: 27
Watchers: 6
Forks: 2
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

## What?

This project builds an OSQuery module `libbro.so` for loading `bro` logs as tables in osquery.

The logs are *dynamically* loaded into tables from the `bro` logs installation directory. They are created as tables based on their
log file name, except pre-pended with `bro_`. E.g., `conn.log` -> table `bro_conn`.

## Example

![screenshot](https://raw.githubusercontent.com/jandre/brosquery/master/screenshot.png)

From [EnvDB](https://github.com/mephux/envdb) UI:

![screenshot](https://raw.githubusercontent.com/jandre/brosquery/master/envdb-screenshot.png)

## Building and Installing

To build, you need `cmake`, `clang`, `git` (for both osquery and module builds).

```bash
make deps
make
```

This will create the module `./build/src/libbro.`

You will then need to copy this to `/usr/local/lib/libbro.` and then you can add an entry to `/etc/osquery/modules.load`:

```bash
$ sudo cp -r ./build/src/libbro. /usr/local/lib
$ sudo mkdir -p /etc/osquery/
$ sudo sh -c 'echo "/usr/local/lib/libbro." >> /etc/osquery/modules.load'
```

You can now run `osqueryi` with the location of `$BROLOGS` set to the bro logs path, where it will attempt to load log tables from `$BROLOGS`.

Example:

```bash
sudo BROLOGS="$PWD/bro/logs" osqueryi
```

Without BROLOGS set, it will try to load logs from the following common Bro installation locations:

```
/usr/local/bro/logs/current
/opt/bro/logs
/nsm/bro/logs/current
```

### Installing for EnvDB

To get it to work with EnvDB, you need to create a wrapper script for `osqueryi` that supplies the correct environment variable
for the `BROPATH`. This should be in your path *before* osqueryi.

E.g., add this to your path:
```
root@vagrant-ubuntu-trusty-64:~# more /usr/bin/osqueryi
#!/bin/sh
BROLOGS="/path/to/bro/logs" /path/to/real/osqueryi "$@"
```

You can also try setting BROLOGS=xxx in EnvDB startup although I'm not certain that works.

## TODO

* [X] Better Bro log path detection.
* [X] Add variable `BROLOGS` to specify where the bro logs are, or maybe a more flexible way to supply this to osquery.
* [ ] Better type handling? Better error handling?

General wishlist: I wish osquery had a nicer way of loading any log dynamically into its framework. :)