This integration is powered by Elastic Agent. Elastic Agent is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to our documentation for a detailed comparison between Beats and Elastic Agent.
Prefer to use Beats for this use case? See Filebeat modules for logs or Metricbeat modules for metrics.
See the integrations quick start guides to get started:
Overview
With this integration, you can centrally manage Osquery deployments to Elastic Agents in your Fleet and query host data through distributed SQL.
This integration adds an Osquery UI in Kibana where you can:
- Run live queries for one or more agents
- View a history of past queries and their results
- Schedule queries to capture OS state changes over time
- Save queries and build a library of queries for specific use cases
Osquery results are stored in Elasticsearch, so that you can use the power of the stack to search, analyze, and visualize Osquery data.
Documentation
For information about using Osquery, see the Osquery Kibana documentation. This includes information about required privileges; how to run, schedule, and save queries; how to map osquery fields to ECS; and other useful information about managing Osquery with this integration.
Exported Fields
For a full list of fields that can be returned in osquery results, see the Exported Fields reference in the Kibana documentation.
Changelog
| Version | Details |
|---|---|
1.4.1 | View pull request Add prebuilt DFIR-related saved queries |
1.4.0 | View pull request Update schema for osquery 5.4.0 |
1.3.2 | View pull request Fix field mapping conflicts View pull request Update to ECS v8.3.0 |
1.3.1 | View pull request Update prebuilt saved queries objects |
1.3.0 | View pull request Add prebuilt saved queries |
1.2.1 | View pull request Update readme to remove exported fields |
1.2.0 | View pull request Add packs and dashboards |
1.1.0 | View pull request Upgrade schema and readme to match osquery 5.2.2. |
1.0.0 | |
0.8.1 | View pull request Add explicit mapping for the text fields |
0.8.0 | View pull request Add 8.0.0 version constraint |
0.7.4 | View pull request Update fields and readme with host_users, host_groups, host_processes tables. |
0.7.3 | View pull request Update team owner. |
0.7.2 | View pull request Update description. |
0.7.1 | View pull request Update ecs.yml to include all date and ip ECS 1.12.0 fields types. |
0.7.0 | View pull request Update to ECS 1.12.0 |
0.6.1 | View pull request Upgrade schema and readme to match osquery 5.0.1. |
0.6.0 | View pull request Change the package to adopt the native osquery configuration better. |
0.5.3 | View pull request Updates readme and adds link to Kibana docs |
0.5.2 | View pull request Updates host.ip field mapping from keyword to ip data type |
0.5.1 | View pull request Updates mapping and readme for osquery 4.9.0 |
0.5.0 | View pull request Update integration description |
0.4.1 | View pull request Update ECS mapping format based on the latest developers feedback |
0.4.0 | View pull request ECS mapping configuration support for queries/streams |
0.3.2 | View pull request Updates Osquery Manager readme for 7.14 Release |
0.3.1 | View pull request Updates Osquery Manager mapping and readme for osquery 4.8.0 |
0.3.0 | View pull request Add platform and version fields to the streams configuration |
0.2.4 | View pull request Update schema fields description and README |
0.2.3 | View pull request Update manifest and README |
0.2.2 | View pull request Update docs |
0.2.1 | View pull request change to beta |
0.2.0 | View pull request Explicit mappings |
0.1.0 | View pull request initial release |