Monitoring
Aquilon DLP exposes findings through osquery tables, enabling powerful querying, alerting, and integration with existing security infrastructure.
osquery Tables
Aquilon DLP provides the following table for monitoring:
| Table | Description |
|---|---|
aquilon_dlp_alerts | Primary alert table with all findings and triage status |
For complete table schema and triage workflow, see OSQuery Integration.
Querying Alerts
Basic Queries
View recent alerts:
SELECT * FROM aquilon_dlp_alerts
ORDER BY timestamp DESC
LIMIT 10;
View alerts for specific file:
SELECT policy, severity, data_type, pattern
FROM aquilon_dlp_alerts
WHERE path LIKE '%specific-file-test%';
View alerts from last 24 hours:
SELECT * FROM aquilon_dlp_alerts
WHERE timestamp > (strftime('%s', 'now') - 86400);
Analyzing Patterns
Count alerts by policy:
SELECT policy, COUNT(*) as alert_count
FROM aquilon_dlp_alerts
GROUP BY policy
ORDER BY alert_count DESC;
Count alerts by severity:
SELECT severity, COUNT(*) as count
FROM aquilon_dlp_alerts
GROUP BY severity
ORDER BY
CASE severity
WHEN 'critical' THEN 1
WHEN 'high' THEN 2
WHEN 'medium' THEN 3
WHEN 'low' THEN 4
END;
Find most affected directories:
SELECT
rtrim(path, replace(path, '/', '')) as directory,
COUNT(*) as alert_count
FROM aquilon_dlp_alerts
GROUP BY directory
ORDER BY alert_count DESC
LIMIT 10;
View data types found:
SELECT data_type, COUNT(*) as count
FROM aquilon_dlp_alerts
GROUP BY data_type
ORDER BY count DESC;
Investigation Queries
Find all alerts for a specific user:
SELECT * FROM aquilon_dlp_alerts
WHERE path LIKE '/var/watch/%'
ORDER BY timestamp DESC;
Find files with multiple policy violations:
SELECT path, COUNT(DISTINCT policy) as policy_count
FROM aquilon_dlp_alerts
GROUP BY path
HAVING policy_count > 1
ORDER BY policy_count DESC;
Find high-severity alerts with multiple findings:
SELECT path, policy, data_type, confidence
FROM aquilon_dlp_alerts
WHERE severity IN ('critical', 'high')
ORDER BY timestamp DESC
LIMIT 20;
Alert Fields
The aquilon_dlp_alerts table contains these fields:
| Field | Type | Description |
|---|---|---|
id | TEXT | UUID (finding_id) for row identification |
timestamp | BIGINT | Unix timestamp of detection |
path | TEXT | Full path to scanned file |
scanner | TEXT | Scanner that detected the finding |
severity | TEXT | Alert severity (critical/high/medium/low) |
policy | TEXT | Policy that triggered the alert |
data_type | TEXT | Type of sensitive data found |
pattern | TEXT | Redacted pattern that matched |
confidence | INTEGER | Confidence level (0-100) |
match_count | INTEGER | Number of matches in file |
frameworks | TEXT | Applicable compliance frameworks |
triage_status | TEXT | Triage status (new/acknowledged/resolved/ignored) |
triage | TEXT | JSON object with triage details (owner, comment, timestamp) |
context | TEXT | JSON object with file metadata and context |
For details on the JSON column structure and querying, see OSQuery Integration.
Alert Triage
Aquilon DLP supports updating alert triage status directly through OSQuery UPDATE statements. This allows security analysts to acknowledge, investigate, and resolve alerts.
Triage Status Values
| Status | Description |
|---|---|
new | Just detected, needs review (default) |
acknowledged | Analyst is investigating |
resolved | Issue has been handled |
ignored | Intentionally skipped (false positive) |
Example Triage Queries
View alerts needing review:
SELECT path, scanner, severity, policy
FROM aquilon_dlp_alerts
WHERE triage_status = 'new'
ORDER BY severity DESC;
Acknowledge an alert:
UPDATE aquilon_dlp_alerts
SET triage_status = 'acknowledged',
triage = JSON_OBJECT('owner', 'analyst@company.com')
WHERE path LIKE '%ack-test%';
Resolve an alert:
UPDATE aquilon_dlp_alerts
SET triage_status = 'resolved',
triage = JSON_OBJECT('comment', 'File removed from system')
WHERE path LIKE '%ack-test%';
For complete triage workflow documentation, see OSQuery Integration.
Log Analysis
Log Locations
| Platform | Log Location |
|---|---|
| macOS | /var/log/aquilon/aquilon-dlp.log |
| Linux | /var/log/aquilon/aquilon-dlp.log |
Viewing Logs
Real-time log monitoring:
# macOS/Linux
tail -f /var/log/aquilon/aquilon-dlp.log
Filter for errors:
grep -i error /var/log/aquilon/aquilon-dlp.log
Filter for specific file:
grep "document.pdf" /var/log/aquilon/aquilon-dlp.log
Log Levels
Configure log level using the RUST_LOG environment variable:
# Set log level
export RUST_LOG=info
# Available levels: error, warn, info, debug, trace
| Level | Description |
|---|---|
error | Only critical errors |
warn | Errors and warnings |
info | General operational messages |
debug | Detailed debugging information |
trace | Extremely verbose tracing |
SIEM Integration
JSON Log Format
Configure JSON logs for SIEM ingestion using environment variables:
# Set log level and format
export RUST_LOG=info
# Logs are written to stdout in structured JSON format
# Redirect output as needed for your SIEM
The application uses the tracing crate which outputs structured JSON fields for easy parsing when configured appropriately in your init system.
osquery Fleet Management
Aquilon DLP integrates with osquery fleet management tools:
- Fleet - kolide/fleet or fleetdm
- Kolide - kolide.com
- osquery directly - via distributed queries
Example distributed query:
SELECT * FROM aquilon_dlp_alerts
WHERE severity IN ('critical', 'high')
AND timestamp > (strftime('%s', 'now') - 3600);
Splunk Integration
Forward osquery results to Splunk:
- Configure osquery logger to file
- Use Splunk Universal Forwarder to ingest logs
- Create dashboards for DLP alerts
Example Splunk query:
index=osquery sourcetype=osquery:results name=aquilon_dlp_alerts
| stats count by policy, severity
Elastic Stack Integration
Forward to Elasticsearch:
- Configure osquery with Kafka or file logger
- Use Filebeat/Logstash to ingest
- Create Kibana dashboards
Alerting
osquery Scheduled Queries
Schedule regular alert checks:
{
"schedule": {
"dlp_critical_alerts": {
"query": "SELECT * FROM aquilon_dlp_alerts WHERE severity = 'critical' AND triage_status = 'new'",
"interval": 300
}
}
}
External Alerting
Integrate with external systems by:
- Using osquery scheduled queries to export results
- Configuring SIEM to forward alerts to PagerDuty/Slack
- Triggering SOAR playbooks on critical alerts
Performance Metrics
System Resource Usage
Monitor Aquilon DLP resource consumption:
- Memory usage: Check process memory
- CPU usage: Monitor during active scanning
- Disk I/O: Cache database writes
# macOS/Linux - find Aquilon DLP process
ps aux | grep aquilon
# Watch resource usage
top -p $(pgrep aquilon)
Operational Dashboards
Key Metrics to Track
| Metric | Query | Alert Threshold |
|---|---|---|
| Critical alerts/hour | COUNT WHERE severity=‘critical’ | >0 |
| High alerts/hour | COUNT WHERE severity=‘high’ | >10 |
| New alerts needing triage | COUNT WHERE triage_status=‘new’ | >50 |
Example Dashboard Queries
Alerts by policy:
SELECT policy, COUNT(*) as count
FROM aquilon_dlp_alerts
GROUP BY policy
ORDER BY count DESC
LIMIT 5;
Triage status summary:
SELECT triage_status, COUNT(*) as count
FROM aquilon_dlp_alerts
GROUP BY triage_status;
Health Checks
Verify Extension Loading
SELECT * FROM osquery_extensions
WHERE name LIKE '%aquilon%';
Verify Table Availability
PRAGMA table_info(aquilon_dlp_alerts);
Test Query
osqueryi --connect /var/osquery/osquery.sock 'SELECT COUNT(*) as alert_count FROM aquilon_dlp_alerts;'
Troubleshooting Monitoring
No Data in Tables
-
Verify extension is loaded:
<!--SETUP /init-services.sh --> SELECT * FROM osquery_extensions; <!--ASSERT rows >= 0 --> -
Check osquery logs:
journalctl -u osqueryd -f -
Verify configuration is loaded:
cat /etc/aquilon/config.toml
Stale Data
- Check if files are being monitored (watch paths configured)
- Verify cache isn’t returning old results
- Check system time is correct
Performance Issues
- Reduce log verbosity
- Increase cache TTL
- Adjust concurrent scan limits
- Review excluded paths
See Configuration for performance tuning options.