{"id":11385,"date":"2021-12-14T23:15:14","date_gmt":"2021-12-14T20:15:14","guid":{"rendered":"https:\/\/kifarunix.com\/?p=11385"},"modified":"2024-03-18T07:42:53","modified_gmt":"2024-03-18T04:42:53","slug":"monitor-windows-systems-using-elastic-osquery-manager","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/monitor-windows-systems-using-elastic-osquery-manager\/","title":{"rendered":"Monitor Windows Systems using Elastic Osquery Manager"},"content":{"rendered":"\n<p>In this tutorial, you will learn how to monitor Windows systems using Elastic Osquery manager. The recent versions of <a href=\"https:\/\/www.elastic.co\/guide\/en\/kibana\/current\/osquery.html\" target=\"_blank\" rel=\"noreferrer noopener\">Elastic now supports integration with Osquery manager<\/a>.<\/p>\n\n\n\n<p><em>With Osquery in Kibana, you can:<\/em><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><em>Run live queries for one or more agents<\/em><\/li>\n\n\n\n<li><em>Schedule query packs to capture changes to OS state over time<\/em><\/li>\n\n\n\n<li><em>View a history of past queries and their results<\/em><\/li>\n\n\n\n<li><em>Save queries and build a library of queries for specific use cases<\/em><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"monitor-windows-systems-using-elastic-osquery-manager\">Monitoring Windows Systems using Elastic Osquery Manager<\/h2>\n\n\n\n<p>Note that we are using <strong>Windows 10<\/strong> in this setup.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"setup-fleet-manager-on-elastic-stack\">Setup Fleet Manager on Elastic Stack<\/h3>\n\n\n\n<p>We discussed how you can setup Elastic Fleet Manager in our previous tutorial on how to <a href=\"https:\/\/kifarunix.com\/ship-system-logs-to-elk-stack-using-elastic-agents\/\" target=\"_blank\" rel=\"noreferrer noopener\">Ship System Logs to ELK Stack using Elastic Agents<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"integrate-osquery-manager-with-elk-stack\">Integrate Osquery Manager with ELK Stack<\/h3>\n\n\n\n<p>Once you have setup Fleet Manager, integrate Osquery manager to Elastic stack.<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/integrate-osquery-manager-with-elk-stack\/\" target=\"_blank\" rel=\"noreferrer noopener\">Integrate Osquery Manager with ELK Stack<\/a><\/p>\n\n\n\n<p>Ensure that the agent policy that you will enroll the Windows agent to DOES NOT have Fleet Manager Integration.<\/p>\n\n\n\n<p>In our setup for example, we will enroll our agents to a <strong>Default Policy<\/strong> with <strong>System<\/strong> and <strong>Osquery manager<\/strong> integrations;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1909\" height=\"610\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/02\/default-policy.png\" alt=\"Monitor Windows Systems using Elastic Osquery Manager\" class=\"wp-image-11553\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/02\/default-policy.png?v=1644865103 1909w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/02\/default-policy-768x245.png?v=1644865103 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/02\/default-policy-1536x491.png?v=1644865103 1536w\" sizes=\"(max-width: 1909px) 100vw, 1909px\" \/><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\" id=\"download-elastic-agent-installer-for-windows-systems\">Download Elastic Agent Installer for Windows Systems<\/h3>\n\n\n\n<p>Depending on the current version of your Elastic stack, download the version of Elastic agent that matches your current version of Elastic stack to your Windows system<\/p>\n\n\n\n<p>In this setup, for example, we are running <a href=\"https:\/\/www.elastic.co\/downloads\/past-releases\/elastic-agent-7-17-0\" target=\"_blank\" rel=\"noopener\">Elastic Stack 7.17.0<\/a>. Hence, we have downloaded Elastic Agent 7.17.0 for our Windows system.<\/p>\n\n\n\n<p>You can simply grab the download link and pull it using PowerShell.<\/p>\n\n\n\n<p>Open and run PowerShell as administrator;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cd C:\\Users\\&lt;<strong>username<\/strong>&gt;\\Downloads<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>Invoke-WebRequest -Uri \"https:\/\/artifacts.elastic.co\/downloads\/beats\/elastic-agent\/elastic-agent-7.17.0-windows-x86_64.zip\" -OutFile elastic-agent-7.17.0-windows-x86_64.zip<\/code><\/pre>\n\n\n\n<p>Extract the Archive<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Expand-Archive -Path .\\elastic-agent-7.17.0-windows-x86_64.zip -DestinationPath .<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"add-windows-elastic-agent-to-fleet-manager\">Add Windows Elastic Agent to Fleet Manager<\/h3>\n\n\n\n<p>In order to collect data from your Windows hosts and sent it Elastic stack, you need to add the Windows host to the Fleet manager.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Thus, navigate to <strong>Kibana &gt; Management &gt; Fleet &gt; Agents.<\/strong> Click <strong>Add agent<\/strong>.<\/li>\n\n\n\n<li>On the <strong>Add agent<\/strong> wizard, click <strong>Enroll in Fleet.<\/strong> this option enables you to automatically deploy updates and centrally manage the agent from the Fleet manager.<\/li>\n\n\n\n<li>Next, choose an <strong>agent policy<\/strong> to tie an agent to. In this setup, we will use <strong>Default Fleet policy (<em>which already has two integrations enabled;<strong> System, Osquery<\/strong> Manager<\/em>).<\/strong> NOTE that this policy doesn&#8217;t have Fleet manager integration.\n<ul class=\"wp-block-list\">\n<li>The <strong>System<\/strong> integration enables automatic installation of Filebeat and Metricbeat on the remote agent host.<\/li>\n\n\n\n<li>The <strong>Osquery<\/strong> integration enables automatic deployment of osquerybeat on the remote agent host.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1851\" height=\"785\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/02\/elastic-agent-policy.png\" alt=\"\" class=\"wp-image-11556\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/02\/elastic-agent-policy.png?v=1644865728 1851w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/02\/elastic-agent-policy-768x326.png?v=1644865728 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/02\/elastic-agent-policy-1536x651.png?v=1644865728 1536w\" sizes=\"(max-width: 1851px) 100vw, 1851px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Next, download the Elastic agent installer to the Windows system. We have already downloaded the Elastic agent installer in the step above, hence pass.<\/li>\n\n\n\n<li>Enroll and start the Elastic Agent.\n<ul class=\"wp-block-list\">\n<li>Select <strong>Windows<\/strong> and copy the agent Install\/Enroll command generated.<\/li>\n\n\n\n<li>Example Elastic agent install command in my case;<\/li>\n\n\n\n<li><strong>NOTE<\/strong>: If you chose <strong>Quick start<\/strong> deployment option, ensure you add the <strong><code>--insecure<\/code><\/strong> flag to the install\/enroll command.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>.\\elastic-agent.exe install `\n--url=http:\/\/192.168.58.22:8220 `\n--enrollment-token=WXM4YnhuNEJ5Z29oREY1bTNidTY6UlJsNEk1WTNSeVdkRndtWlBnTk5kZw== `\n--insecure<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1837\" height=\"876\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/02\/install-n-enroll-agent.png\" alt=\"\" class=\"wp-image-11555\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/02\/install-n-enroll-agent.png?v=1644865318 1837w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/02\/install-n-enroll-agent-768x366.png?v=1644865318 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/02\/install-n-enroll-agent-1536x732.png?v=1644865318 1536w\" sizes=\"(max-width: 1837px) 100vw, 1837px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-elastic-agents-in-windows-system-and-enroll-it-to-fleet-manager\">Install Elastic Agents in Windows system and Enroll it to Fleet Manager<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Next, login into  the Windows system you are deploying an Elastic agent on.<\/li>\n\n\n\n<li>Launch PowerShell as administrative user.<\/li>\n\n\n\n<li>Navigate to the folder where you extracted your Elastic agent installer archive and futher navigate to the folder containing the Elastic agent binary installer, <strong><code>elastic-agent.exe<\/code><\/strong>.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>cd C:\\Users\\kifarunix\\Downloads\\elastic-agent-7.17.0-windows-x86_64\\elastic-agent-7.17.0-windows-x86_64<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>ls<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>    Directory: C:\\Users\\kifarunix\\Downloads\\elastic-agent-7.17.0-windows-x86_64\\elastic-agent-7.17.0-windows-x86_64\n\nMode                LastWriteTime         Length Name\n----                -------------         ------ ----\nd-----         13\/12\/2021   7:04 PM                data\n------        13\/12\/2021   9:48 PM             41 .build_hash.txt\n------        13\/12\/2021   9:48 PM             41 .elastic-agent.active.commit\n------        13\/12\/2021   9:48 PM       45319640 <strong>elastic-agent.exe<\/strong>\n------        13\/12\/2021   9:48 PM           9243 elastic-agent.reference.yml\n------        13\/12\/2021   9:48 PM           9240 elastic-agent.yml\n------        13\/12\/2021   9:48 PM          13675 LICENSE.txt\n------        13\/12\/2021   9:48 PM        1964303 NOTICE.txt\n------        13\/12\/2021   9:48 PM            863 README.md\n<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Execute the command below to install and enroll Elastic agent to Fleet manager on Elastic stack.<\/li>\n<\/ul>\n\n\n\n<pre class=\"scroll-box\"><code>.\\elastic-agent.exe install `\n--url=https:\/\/192.168.58.22:8220 `\n--enrollment-token=WXM4YnhuNEJ5Z29oREY1bTNidTY6UlJsNEk1WTNSeVdkRndtWlBnTk5kZw== `\n--insecure\n<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>When prompted on whether to run as a service, accept it and proceed with Elastic agent installation on Windows systems.<\/li>\n\n\n\n<li>Sample Elastic agent installation output on Windows system;<\/li>\n<\/ul>\n\n\n\n<pre class=\"scroll-box\"><code>Elastic Agent will be installed at C:\\Program Files\\Elastic\\Agent and will run as a service. Do you want to continue? [Y\n\/n]:y\n2021-12-13T20:05:25.219+0300    WARN    [tls]   tlscommon\/tls_config.go:98      SSL\/TLS verifications disabled.\n2021-12-13T20:05:25.653+0300    INFO    cmd\/enroll_cmd.go:442   Starting enrollment to URL: https:\/\/192.168.58.22:8220\/\n2021-12-13T20:05:26.464+0300    WARN    [tls]   tlscommon\/tls_config.go:98      SSL\/TLS verifications disabled.\n2021-12-13T20:06:03.501+0300    INFO    cmd\/enroll_cmd.go:250   Successfully triggered restart on running Elastic Agent.\nSuccessfully enrolled the Elastic Agent.\nElastic Agent has been successfully installed.\n<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The agent is installed under <strong><code>C:\\Program Files\\Elastic\\Agent<\/code><\/strong>.<\/li>\n\n\n\n<li>The command creates Elastic agent service. (<em>You can also check form services UI<\/em>).<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>Get-Service | Where Name -like *Elastic*<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>Status   Name               DisplayName\n------   ----               -----------\n<strong>Running<\/strong>  Elastic Agent      Elastic Agent<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>As already mention, with System and Osquery manager integrations enabled, the Filebeat, Metricbeat and Osquerybeats and their respective configuration files are installed on the agent host. The configuration files are (listing on PowerShell):<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>ls 'C:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-93708b\\install\\*\\*beat.yml'<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>    Directory: C:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-93708b\\install\\filebeat-7.17.0-windows-x86_64\n\n\nMode                LastWriteTime         Length Name\n----                -------------         ------ ----\n-a----         13\/12\/2021  12:13 AM           8273 filebeat.yml\n\n\n    Directory: C:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-93708b\\install\\metricbeat-7.17.0-windows-x86_64\n\n\nMode                LastWriteTime         Length Name\n----                -------------         ------ ----\n-a----         13\/12\/2021  12:08 AM           6899 metricbeat.yml\n\n\n    Directory: C:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-93708b\\install\\osquerybeat-7.17.0-windows-x86_64\n\n\nMode                LastWriteTime         Length Name\n----                -------------         ------ ----\n-a----         13\/12\/2021  12:11 AM           6504 osquerybeat.yml\n<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>For these beats to connect and sent logs to Elasticsearch, you need to edit their configuration files and define the Elasticsearch host as well the authentication credentials.<\/li>\n\n\n\n<li>Stop Elastic Agent Service;<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>Stop-Service -Name 'Elastic Agent'<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Then edit the <strong><code>filebeat.yml<\/code><\/strong>, <strong><code>metricbeat.yml<\/code><\/strong> and <strong><code>osquerybeat.yml<\/code><\/strong> and change these configs from;<\/li>\n<\/ul>\n\n\n\n<pre class=\"scroll-box\"><code># ---------------------------- Elasticsearch Output ----------------------------\noutput.elasticsearch:\n  # Array of hosts to connect to.\n  <strong>hosts: [\"localhost:9200\"]<\/strong>\n\n  # Protocol - either `http` (default) or `https`.\n  #protocol: \"https\"\n\n  # Authentication credentials - either API key or username\/password.\n  #api_key: \"id:api_key\"\n  <strong>#username: \"elastic\"\n  #password: \"changeme\"<\/strong>\n<\/code><\/pre>\n\n\n\n<p>To<\/p>\n\n\n\n<pre class=\"scroll-box\"><code># ---------------------------- Elasticsearch Output ----------------------------\noutput.elasticsearch:\n  # Array of hosts to connect to.\n  hosts: [\"192.168.58.22:9200\"]\n\n  # Protocol - either `http` (default) or `https`.\n  #protocol: \"https\"\n\n  # Authentication credentials - either API key or username\/password.\n  #api_key: \"id:api_key\"\n  username: \"elastic\"\n  password: \"password\"\n<\/code><\/pre>\n\n\n\n<p><strong>Be sure to set the proper Elasticsearch IP as well the credentials for a user with the proper permissions.<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Restart Elastic Agent once you are done making the changes;<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>Restart-Service -Name 'Elastic Agent'<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"verifying-windows-agent-status-on-fleet-manager\">Verifying Windows Agent Status on Fleet manager<\/h3>\n\n\n\n<p>Once the agent has been successfully enrolled, log in to Kibana and check agent status under Fleet agents.<\/p>\n\n\n\n<p>The agent status could be <strong>Updating<\/strong> or if it has updated and started the communications with the Fleet server, then you should see status <strong>Healthy<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-gallery has-nested-images columns-default is-cropped wp-block-gallery-1 is-layout-flex wp-block-gallery-is-layout-flex\">\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1665\" height=\"664\" data-id=\"11557\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/02\/windows-agent-status.png\" alt=\"\" class=\"wp-image-11557\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/02\/windows-agent-status.png?v=1644865908 1665w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/02\/windows-agent-status-768x306.png?v=1644865908 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/02\/windows-agent-status-1536x613.png?v=1644865908 1536w\" sizes=\"(max-width: 1665px) 100vw, 1665px\" \/><\/figure>\n<\/figure>\n\n\n\n<p>And there you go. You can click on the agent name to view the related logs;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1696\" height=\"763\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/02\/windows-agent-logs.png\" alt=\"\" class=\"wp-image-11558\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/02\/windows-agent-logs.png?v=1644865932 1696w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/02\/windows-agent-logs-768x346.png?v=1644865932 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/02\/windows-agent-logs-1536x691.png?v=1644865932 1536w\" sizes=\"(max-width: 1696px) 100vw, 1696px\" \/><\/figure>\n\n\n\n<p>You can also check the dashboards for various event activity under <strong>Data Streams<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1574\" height=\"724\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/02\/data-streams-dashboards.png\" alt=\"\" class=\"wp-image-11559\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/02\/data-streams-dashboards.png?v=1644865957 1574w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/02\/data-streams-dashboards-768x353.png?v=1644865957 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/02\/data-streams-dashboards-1536x707.png?v=1644865957 1536w\" sizes=\"(max-width: 1574px) 100vw, 1574px\" \/><\/figure>\n\n\n\n<p>Sample metrics dashboard.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1889\" height=\"777\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/02\/event-dashboards.png\" alt=\"Monitor Windows Systems using Elastic Osquery Manager\" class=\"wp-image-11560\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/02\/event-dashboards.png?v=1644865998 1889w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/02\/event-dashboards-768x316.png?v=1644865998 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/02\/event-dashboards-1536x632.png?v=1644865998 1536w\" sizes=\"(max-width: 1889px) 100vw, 1889px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"querying-windows-agent-using-osquery-on-elk\">Querying Windows Agent using Osquery on ELK<\/h3>\n\n\n\n<p>Similarly, from Osquery integration, you should be able to run live queries against your Windows host agent.<\/p>\n\n\n\n<p>Thus;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Navigate to Kibana <strong>Management<\/strong> &gt; <strong>Osquery<\/strong> &gt; <strong>+New live query<\/strong>.<\/li>\n\n\n\n<li>Select the agent to query &gt; Enter a query &gt; <strong>Submit<\/strong> the query. You can also save the query to use later.<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1690\" height=\"868\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/02\/osquery-live-queries.png\" alt=\"\" class=\"wp-image-11563\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/02\/osquery-live-queries.png?v=1644868237 1690w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/02\/osquery-live-queries-768x394.png?v=1644868237 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/02\/osquery-live-queries-1536x789.png?v=1644868237 1536w\" sizes=\"(max-width: 1690px) 100vw, 1690px\" \/><\/figure><\/div>\n\n\n<ul class=\"wp-block-list\">\n<li>Check the query <strong>Results<\/strong> and <strong>Status<\/strong>.<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1682\" height=\"738\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/02\/windows-osquery-live_queries.png\" alt=\"\" class=\"wp-image-11565\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/02\/windows-osquery-live_queries.png?v=1644868406 1682w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/02\/windows-osquery-live_queries-768x337.png?v=1644868406 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/02\/windows-osquery-live_queries-1536x674.png?v=1644868406 1536w\" sizes=\"(max-width: 1682px) 100vw, 1682px\" \/><\/figure><\/div>\n\n\n<ul class=\"wp-block-list\">\n<li>You can run other queries like getting installed softwares;<\/li>\n<\/ul>\n\n\n\n<pre class=\"scroll-box\"><code>\nSELECT name AS name, version AS version, 'Program (Windows)' AS type, 'programs' AS source FROM programs UNION SELECT name AS name, version AS version, 'Package (Python)' AS type, 'python_packages' AS source FROM python_packages UNION SELECT name AS name, version AS version, 'Browser plugin (IE)' AS type, 'ie_extensions' AS source FROM ie_extensions UNION SELECT name AS name, version AS version, 'Browser plugin (Chrome)' AS type, 'chrome_extensions' AS source FROM chrome_extensions UNION SELECT name AS name, version AS version, 'Browser plugin (Firefox)' AS type, 'firefox_addons' AS source FROM firefox_addons UNION SELECT name AS name, version AS version, 'Package (Chocolatey)' AS type, 'chocolatey_packages' AS source FROM chocolatey_packages UNION SELECT name AS name, version AS version, 'Package (Atom)' AS type, 'atom_packages' AS source FROM atom_packages;\n<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1600\" height=\"860\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/02\/osquery-windows-queries.png\" alt=\"\" class=\"wp-image-11566\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/02\/osquery-windows-queries.png?v=1644868975 1600w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/02\/osquery-windows-queries-768x413.png?v=1644868975 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/02\/osquery-windows-queries-1536x826.png?v=1644868975 1536w\" sizes=\"(max-width: 1600px) 100vw, 1600px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You can check more Osquery queries on the <a href=\"https:\/\/fleetdm.com\/queries\" target=\"_blank\" rel=\"noreferrer noopener\">Fleetdm Queries<\/a> page.<\/li>\n<\/ul>\n\n\n\n<p>That marks the end of our tutorial.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"reference\">Reference<\/h3>\n\n\n\n<p><a href=\"https:\/\/www.elastic.co\/guide\/en\/kibana\/master\/osquery.html#osquery\" target=\"_blank\" rel=\"noreferrer noopener\">Kibana Osquery<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"other-tutorials\">Other Tutorials<\/h3>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/configure-logstash-elasticsearch-basic-authentication\/\" target=\"_blank\" rel=\"noreferrer noopener\">Configure Logstash Elasticsearch Basic Authentication<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/how-to-enable-basic-authentication-on-elk-stack\/\" target=\"_blank\" rel=\"noreferrer noopener\">How to Enable Basic Authentication on ELK Stack<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-and-enroll-elastic-agents-to-fleet-manager-in-linux\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install and Enroll Elastic Agents to Fleet Manager in Linux<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this tutorial, you will learn how to monitor Windows systems using Elastic Osquery manager. The recent versions of Elastic now supports integration with Osquery<\/p>\n","protected":false},"author":3,"featured_media":10042,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[72,121],"tags":[4577,4578,4579,4576,3290,4580],"class_list":["post-11385","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-monitoring","category-howtos","tag-elk-osquery-windows-agent","tag-enroll-windows-agent-elk-fleet-manager","tag-fleet-server","tag-monitor-windows-systems-using-elastic-osquery-manager","tag-osquery-manager","tag-query-windows-agents-on-elk-osquery","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/11385"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=11385"}],"version-history":[{"count":12,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/11385\/revisions"}],"predecessor-version":[{"id":21583,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/11385\/revisions\/21583"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/10042"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=11385"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=11385"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=11385"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}