Ansible Role: osquery

This Ansible role sets up and configures osquery on Ubuntu.

Requirements

No special requirements.

Role Variables

Here are the variables you can use, along with their default values (found in defaults/main.yml). You can change these by creating a dictionary named "osquery."

Set the name for the osquery daemon:

daemon: "osqueryd"

Specify where the config files will be located:

config_include_dir: "/etc/osquery"

Choose the type of plugin to use. Learn more

config_plugin: "filesystem"

Choose the logger plugin type. Learn more

logger_plugin: "filesystem"

Set the directory where logs will be stored:

logger_path: "/var/log/osquery"

You can turn off INFO, WARN, and ERROR logs, but results will still be saved:

disable_logging: "false"

Spread out the scheduled time for queries:

schedule_splay_percent: 10

Record the PID of the osqueryd process:

pidfile: "/var/osquery/osquery.pidfile"

Automatically clear events from osquery's storage after this many seconds:

events_expiry: 3600

Specify where to store event and query result data on disk:

database_path: "/var/osquery/osquery.db"

List tables you want to disable, separated by commas:

disable_tables: ""

Turn on debug logging or more detailed debug logging:

verbose: "true"

Set the maximum size of files that can be read:

read_max: 100000

Limit the maximum number of events to store per type:

events_max: 100000

Enable the monitor for scheduled tasks:

enable_monitor: "true"

Identify the host running osquery (by hostname or UUID):

host_identifier: "hostname"

Dependencies

None.

Example Playbook

Here’s a sample playbook to run this role:

- hosts: all
  roles:
    - apolloclark.osquery

License

MIT / BSD

Author Information

This role was created in 2017 by Apollo Clark