search

open-telemetry / opentelemetry-collector-contrib

Contrib repository for the OpenTelemetry Collector
https://opentelemetry.io
Apache License 2.0
2.86k stars 2.24k forks source link

New component: osquery #30375

Closed smithclay closed 1 month ago

smithclay commented 7 months ago

The purpose and use-cases of the new component

osquery is a popular open-source Linux Foundation project that allows system administrators to query information about their systems using a SQL-like language.

As a collector receiver for logs, it allows users to extract detailed information about their Linux, macOS, or Windows systems like running processes, certificates, or disks on a predefined schedule. This receiver is particularly helpful for using the collector for security and compliance use-cases.

Example configuration for the component

osquery:
  collection_internal: 10s
  extensions_socket: /var/osquery/osquery.em
  queries:
    - "select * from certificates"
    - "select * from block_devices"

Telemetry data types supported

logs

Is this a vendor-specific component?

Code Owner(s)

@smithclay

Sponsor (optional)

@codeboten

Additional context

No response

codeboten commented 7 months ago

Thanks for submitting this @smithclay, curious how using this as a separate receiver would compare to using osquery with something like a syslog logger plugin combined with the syslogreceiver for example

smithclay commented 7 months ago

Thanks for submitting this @smithclay, curious how using this as a separate receiver would compare to using osquery with something like a syslog logger plugin combined with the syslogreceiver for example

The main benefit is giving collector users flexibility to issue one-off queries (at arbitrary intervals) without having to edit the system's config file for osqueryd. It also centralizes, in a collector's config, gathering metrics about a resource (like disk IO) and detailed information (like disk serial number) about those same resources.

More medium-term: remote configuration via opAMP opens up even more security and compliance use-cases if this is a collector receiver. For example, gathering more detailed metrics, logs (via osquery), and traces for a particular server after it is impacted by a security incident.

codeboten commented 7 months ago

thanks for clarifying @smithclay! do you have a sample output you expect to see from osquery?

smithclay commented 7 months ago

thanks for clarifying @smithclay! do you have a sample output you expect to see from osquery?

Here's example output for disk devices (one of 100+ different data sources), idea is this would turn into two log lines with the columns being resource attributes:

image
github-actions[bot] commented 5 months ago

This issue has been inactive for 60 days. It will be closed in 60 days if there is no activity. To ping code owners by adding a component label, see Adding Labels via Comments, or if you are unsure of which component this issue relates to, please ping @open-telemetry/collector-contrib-triagers. If this issue is still relevant, please ping the code owners or leave a comment explaining why it is still relevant. Otherwise, please close it.

smithclay commented 5 months ago

Hey, will be getting back to this next week :)

github-actions[bot] commented 3 months ago

This issue has been inactive for 60 days. It will be closed in 60 days if there is no activity. To ping code owners by adding a component label, see Adding Labels via Comments, or if you are unsure of which component this issue relates to, please ping @open-telemetry/collector-contrib-triagers. If this issue is still relevant, please ping the code owners or leave a comment explaining why it is still relevant. Otherwise, please close it.

github-actions[bot] commented 1 month ago

This issue has been closed as inactive because it has been stale for 120 days with no activity.