Workforce Development Training Lab S03
Beginner Splunk OSquery

Lab S03 — Splunk and OSquery

Install OSquery on Windows 10 and Ubuntu 22.04 using Palantir's configuration, then forward logs to Splunk Enterprise.

~45 min Ubuntu 22.04 · Windows 10 7 Sections
Download Lab Document
Progress
0 / 7

Prerequisites

1

Complete Lab S00 before starting this lab. You will need a working Splunk Enterprise instance and a Universal Forwarder already configured.

Prerequisite: Lab S00 — Splunk, Universal Forwarder & Stream Setup
2

This lab requires an Ubuntu 22.04 VM and a Windows 10 VM. Both were tested in Synology VMM.

Introduction

What is OSquery?

Osquery is an open-source tool that exposes an operating system as a relational database, letting you query it with SQL-like commands. Created by Mike Arpaia at Facebook in 2014. Cross-platform: macOS, Linux, FreeBSD, and Windows.

  • How it works: Uses SQL queries to inspect real-time OS state.
  • What it can do: Query running processes, user logins, and network connections.
  • How it's useful: Simplifies security and administration tasks across platforms.
  • Who created it: Mike Arpaia at Facebook, 2014.
What is Chocolatey?

Chocolatey is a command-line package manager for Windows, similar to apt-get. Created by Rob Reynolds in 2011. Open-source. Automates the download, install, update, and uninstall of Windows software.

Chocolatey & OSquery Install (Windows 10)

1

Open an administrative PowerShell session. To verify you are running as Administrator, run the following:

$currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()) $currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)

The command returns True if the session is elevated.

2

Install Chocolatey by visiting chocolatey.org/install and running the command provided on that page. It sets the ExecutionPolicy to Bypass for the install. After install, verify with:

choco --version
Chocolatey version verified
3

Install OSquery using Chocolatey:

choco install osquery

Confirm the installation in C:\Program Files\osquery.

OSquery installed in Program Files
4

From C:\Program Files\osquery, install the OSquery service and start it:

osqueryd.exe --install
Note: Without a configuration file, OSquery will not accumulate results yet. Configuration is covered in the next section.
OSquery service installed

OSquery Configuration — Palantir Technologies (Windows)

About the Palantir OSquery Configuration

Palantir Technologies published an open-source OSquery configuration for enterprise use.

1

Download the Palantir repository and copy the configuration files. From the Classic/Endpoints folder in an administrative PowerShell, run:

cp -Force ./*.conf "C:/Program Files/osquery" cp -Force ./*.flags "C:/Program Files/osquery"

Then from the parent directory, copy the packs folder:

cp -Recurse ./pack "C:/Program Files/osquery"

The resulting file structure should include osquery.conf, osquery.flags, and osquery_no_tls.flags in C:\Program Files\osquery, along with a packs\ folder containing seven .conf files.

Palantir config files copied to osquery folder
2

Enable Windows Event Logging by opening osquery.flags as Administrator in Notepad and changing the disable_events flag value to false.

disable_events set to false in osquery.flags
3

Restart the OSquery service and confirm that results are accumulating in osqueryd.results.log:

Restart-Service osqueryd
osqueryd.results.log accumulating data

OSquery on Linux (Ubuntu 22.04)

1

Download the latest .deb package from osquery.io/downloads/official (Debian/amd64). At time of writing, the current version is v5.13.1. Install it with:

sudo dpkg -i osquery_5.13.1-1.linux_amd64.deb

Test the interactive shell:

osqueryi
2

Use the default example configuration as a starting point and start the OSquery daemon:

sudo cp /opt/osquery/share/osquery/osquery.example.conf /etc/osquery/osquery.conf sudo systemctl start osqueryd

Confirm logs are generating in /var/log/osquery.

OSquery logs generating on Linux
3

Apply the Palantir Linux configuration from github.com/palantir/osquery-configuration. Remove the default config and create a new one:

sudo rm /etc/osquery/osquery.conf sudo nano /etc/osquery/osquery.conf

Populate the file with the raw Palantir config from:

https://raw.githubusercontent.com/palantir/osquery-configuration/refs/heads/master/Classic/Servers/Linux/osquery.conf

Alternatively, copy from the cloned repository:

sudo cp osquery-configuration/Classic/Servers/Linux/osquery.* /opt/osquery/share/osquery/ sudo cp -r osquery-configuration/Classic/Servers/Linux/packs /opt/osquery/share/osquery/ sudo systemctl restart osqueryd sudo systemctl status osqueryd
OSquery daemon running with Palantir config on Linux

Splunk Add-on for OSquery

1

The TA-osquery is archived on Splunkbase but still available at splunkbase.splunk.com/app/4402. Log in and download the .tgz file.

In the Splunk Web UI go to Apps → Manage Apps → Install from file. Select the .tgz and restart the server. Confirm the app appears in $SPLUNK_HOME/etc/apps/.

TA-osquery installed in Splunk
2

Create a new index called osquery in the Splunk Web UI under Settings → Indexes → New Index.

3

Edit inputs.conf in the TA-osquery defaults to point to the correct log paths and index. Add or update the following entries:

[monitor:///var/log/osquery/osqueryd.results.log] index = main sourcetype = osquery:results [monitor:///var/log/osquery/osqueryd.*INFO*] index = main sourcetype = osquery:info [monitor:///var/log/osquery/osqueryd.*ERROR*] index = main sourcetype = osquery:error [monitor:///var/log/osquery/osqueryd.*WARNING*] index = main sourcetype = osquery:warning

Restart Splunk and confirm data is arriving from the Linux server.

OSquery data in Splunk osquery index

Deploy OSquery Add-on to Windows Forwarder

1

Copy TA-osquery to the deployment-apps folder so the Deployment Server can push it to your Windows forwarder:

sudo cp -r $SPLUNK_HOME/etc/apps/TA-osquery $SPLUNK_HOME/etc/deployment-apps
2

Create a Server Class under Settings → Forwarder Management. Add TA-osquery as an app and add your Windows 10 client as a client machine.

3

On Windows, once the app is deployed, open the inputs.conf from the deployed app at C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-osquery\default\inputs.conf in Notepad as Administrator.

Create a local copy at TA-osquery\local\inputs.conf with the correct Windows log path. The local folder takes precedence over default in Splunk's configuration layering.

local inputs.conf for TA-osquery on Windows
4

Verify OSquery data from Windows is arriving in Splunk using the following searches in Apps → Search & Reporting:

index="osquery" sourcetype="osquery:results" | table _time, _raw

To filter for running services specifically:

index="osquery" sourcetype="osquery:results" | spath | search name="services"
OSquery results in Splunk including services
Lab S02 Take the Quiz