osquery
Ansible Role: osquery
Ansible Role to install and configure osquery for Ubuntu.
Requirements
None.
Role Variables
Available variables are listed below, along with default values (see defaults/main.yml
).
You can overload these values by creating an dictionary called "osquery".
Set the osquery deamon name.
daemon: "osqueryd"
Set the location of the config directory.
config_include_dir: "/etc/osquery"
Configure the plugin type. doc
config_plugin: "filesystem"
Configure the logger plugin. doc
logger_plugin: "filesystem"
Configure the logger directory.
logger_path: "/var/log/osquery"
Disable INFO, WARN, and ERROR logs. This will still write results.
disable_logging: "false"
Splay the scheduled interval for queries.
schedule_splay_percent: 10
Write the pid of the osqueryd process to a pidfile/mutex.
pidfile: "/var/osquery/osquery.pidfile"
Clear events from the osquery backing store after a number of seconds.
events_expiry: 3600
A filesystem path for disk-based backing storage used for events and query results.
database_path: "/var/osquery/osquery.db"
Comma-delimited list of table names to be disabled.
disable_tables: ""
Enable debug or verbose debug output when logging.
verbose "true"
Maximum file read size.
read_max: 100000
Maximum number of events per type to buffer.
events_max: 100000
Enable the schedule monitor.
enable_monitor: "true"
Host running osquery (hostname, uuid).
host_identifier: "hostname"
Dependencies
None.
Example Playbook
- hosts: all
roles:
- apolloclark.osquery
License
MIT / BSD
Author Information
This role was created in 2017 by Apollo Clark
Install and configure osquery
ansible-galaxy install apolloclark/ansible-role-osquery