This release introduces the ability to create rules to alert when new nodes are enrolled or existing nodes have gone offline. Knowing when nodes go offline is mainly useful in diagnosing issues with osquery installs, such as database corruption, process misbehavior, incompatibility, or uninstalls.
-
To notify when new nodes are enrolled, you can simply create a rule to alert on results with the query name
doorman/tasks/node_enrolledand action equal totriggered. -
To alert when a node goes offline, a separate task can be scheduled to run on a periodic basis using Celery Beat (by default, this is configured to run once per day, but must Beat must be running), which reports the time since last checkin, last result, and time between last checkin and last result. Rules can be created to alert on
doorman/tasks/node_offline_checks, action equal totriggered, and any ofsince_last_result_days,since_last_result_seconds,since_last_checkin_days,since_last_checkin_seconds,since_last_checkin_to_last_result_days,since_last_checkin_to_last_result_seconds.
Changes:
- Support for notifications when nodes newly enroll or have gone offline [#112 and #113]
- Slack Alerter plugin [#121]
- Support for Windows [#123]
- Support for passing tags with enroll secrets [#128, #129]
- Updated validation schema to be current with osquery v2.7.0 [#123]
- Templated string emails [#124]
- Vagrantfile for easy provisioning [#85]
- Improved Docker support [#86, #96, #103, #107, #108]
- Add interact.js as a dependency to bower [#93]
- Support for custom osquery DDL validation [#94]
- Support for osquery snapshot logs
- Added Troubleshooting section to README
- Flush after writing to log file in file logger plugin [#92]
Commits since last release
Commits to master since this release.