osquery: Send log messages to osquery's syslog table

The osquery() driver sends log messages to osquery’s syslog table.

The syslog table contains logs forwarded over a named pipe from syslog-ng. When an osquery process that supports the syslog table starts up, it creates (and properly sets permissions for) a named pipe for AxoSyslog to write to.

Example: Using the osquery() destination driver

Run osqueryi:

   osqueryi --enable_syslog
             --disable-events=false

To store the database on disk:

   osqueryi --enable_syslog
             --disable-events=false
             --database_path=/tmp/osquery.db

To set up a custom named pipe:

   osqueryi --enable_syslog
             --disable-events=false
             --database_path=/tmp/osquery.db
             --syslog_pipe_path=/tmp/osq.pipe

Example configuration:

   @version: 3.12
    @include "scl.conf"
    
    source s_net {
      network(port(5514));
    };
    
    destination d_osquery {
      # custom pipe path:
      #osquery(pipe("/tmp/osq.pipe"));
    
      # backup outgoing logs:
      #osquery(file("/var/log/osquery_inserts.log" template(t_osquery)));
    
      # defaults
      osquery();
    };
    
    log {
     source(s_net);
     destination(d_osquery);
     flags(flow-control);
    };
Last modified October 29, 2023: Create manpages (#34) (9534f54)