Monitoring

Aquilon DLP exposes findings through osquery tables, enabling powerful querying, alerting, and integration with existing security infrastructure.

osquery Tables

Aquilon DLP provides the following table for monitoring:

Table	Description
`aquilon_dlp_alerts`	Primary alert table with all findings and triage status

For complete table schema and triage workflow, see OSQuery Integration.

Querying Alerts

Basic Queries

View recent alerts:

<!--SETUP
/init-services.sh && cp /var/test-data/sample-data.csv /var/watch/test1.csv
-->
SELECT * FROM aquilon_dlp_alerts
ORDER BY timestamp DESC
LIMIT 10;
<!--ASSERT 
rows >= 0 
-->

View alerts for specific file:

<!--SETUP
/init-services.sh && cp /var/test-data/sample-data.csv /var/watch/specific-file-test.csv
-->
SELECT policy, severity, data_type, pattern
FROM aquilon_dlp_alerts
WHERE path LIKE '%specific-file-test%';
<!--ASSERT
rows >= 0
-->

View alerts from last 24 hours:

<!--SETUP
/init-services.sh
-->
SELECT * FROM aquilon_dlp_alerts
WHERE timestamp > (strftime('%s', 'now') - 86400);
<!--ASSERT 
rows >= 0 
-->

Analyzing Patterns

Count alerts by policy:

<!--SETUP
/init-services.sh
-->
SELECT policy, COUNT(*) as alert_count
FROM aquilon_dlp_alerts
GROUP BY policy
ORDER BY alert_count DESC;
<!--ASSERT
rows >= 0
-->

Count alerts by severity:

<!--SETUP
/init-services.sh
-->
SELECT severity, COUNT(*) as count
FROM aquilon_dlp_alerts
GROUP BY severity
ORDER BY
  CASE severity
    WHEN 'critical' THEN 1
    WHEN 'high' THEN 2
    WHEN 'medium' THEN 3
    WHEN 'low' THEN 4
  END;
<!--ASSERT 
rows >= 0 
-->

Find most affected directories:

<!--SETUP
/init-services.sh
-->
SELECT
  rtrim(path, replace(path, '/', '')) as directory,
  COUNT(*) as alert_count
FROM aquilon_dlp_alerts
GROUP BY directory
ORDER BY alert_count DESC
LIMIT 10;
<!--ASSERT 
rows >= 0 
-->

View data types found:

<!--SETUP
/init-services.sh
-->
SELECT data_type, COUNT(*) as count
FROM aquilon_dlp_alerts
GROUP BY data_type
ORDER BY count DESC;
<!--ASSERT 
rows >= 0 
-->

Investigation Queries

Find all alerts for a specific user:

<!--SETUP
/init-services.sh
-->
SELECT * FROM aquilon_dlp_alerts
WHERE path LIKE '/var/watch/%'
ORDER BY timestamp DESC;
<!--ASSERT 
rows >= 0 
-->

Find files with multiple policy violations:

<!--SETUP
/init-services.sh
-->
SELECT path, COUNT(DISTINCT policy) as policy_count
FROM aquilon_dlp_alerts
GROUP BY path
HAVING policy_count > 1
ORDER BY policy_count DESC;
<!--ASSERT
rows >= 0
-->

Find high-severity alerts with multiple findings:

<!--SETUP
/init-services.sh
-->
SELECT path, policy, data_type, confidence
FROM aquilon_dlp_alerts
WHERE severity IN ('critical', 'high')
ORDER BY timestamp DESC
LIMIT 20;
<!--ASSERT
rows >= 0
-->

Alert Fields

The aquilon_dlp_alerts table contains these fields:

Field	Type	Description
`id`	TEXT	UUID (finding_id) for row identification
`timestamp`	BIGINT	Unix timestamp of detection
`path`	TEXT	Full path to scanned file
`scanner`	TEXT	Scanner that detected the finding
`severity`	TEXT	Alert severity (critical/high/medium/low)
`policy`	TEXT	Policy that triggered the alert
`data_type`	TEXT	Type of sensitive data found
`pattern`	TEXT	Redacted pattern that matched
`confidence`	INTEGER	Confidence level (0-100)
`match_count`	INTEGER	Number of matches in file
`frameworks`	TEXT	Applicable compliance frameworks
`triage_status`	TEXT	Triage status (new/acknowledged/resolved/ignored)
`triage`	TEXT	JSON object with triage details (owner, comment, timestamp)
`context`	TEXT	JSON object with file metadata and context

For details on the JSON column structure and querying, see OSQuery Integration.

<!--SETUP
/init-services.sh
-->
SELECT id, timestamp, path, scanner, severity, policy, data_type,
       pattern, confidence, match_count, frameworks, triage_status,
       triage, context
FROM aquilon_dlp_alerts LIMIT 0;

Alert Triage

Aquilon DLP supports updating alert triage status directly through OSQuery UPDATE statements. This allows security analysts to acknowledge, investigate, and resolve alerts.

Triage Status Values

Status	Description
`new`	Just detected, needs review (default)
`acknowledged`	Analyst is investigating
`resolved`	Issue has been handled
`ignored`	Intentionally skipped (false positive)

Example Triage Queries

View alerts needing review:

<!--SETUP
/init-services.sh && cp /var/test-data/sample-data.csv /var/watch/triage-test.csv
-->
SELECT path, scanner, severity, policy
FROM aquilon_dlp_alerts
WHERE triage_status = 'new'
ORDER BY severity DESC;
<!--ASSERT
rows >= 0
-->

Acknowledge an alert:

<!--SETUP
/init-services.sh && cp /var/test-data/sample-data.csv /var/watch/ack-test.csv
-->
UPDATE aquilon_dlp_alerts
SET triage_status = 'acknowledged',
    triage = JSON_OBJECT('owner', 'analyst@company.com')
WHERE path LIKE '%ack-test%';

Resolve an alert:

<!--SETUP
/init-services.sh
-->
UPDATE aquilon_dlp_alerts
SET triage_status = 'resolved',
    triage = JSON_OBJECT('comment', 'File removed from system')
WHERE path LIKE '%ack-test%';

For complete triage workflow documentation, see OSQuery Integration.

Log Analysis

Log Locations

Platform	Log Location
macOS	`/var/log/aquilon/aquilon-dlp.log`
Linux	`/var/log/aquilon/aquilon-dlp.log`

Viewing Logs

Real-time log monitoring:

# macOS/Linux
tail -f /var/log/aquilon/aquilon-dlp.log

Filter for errors:

grep -i error /var/log/aquilon/aquilon-dlp.log

Filter for specific file:

grep "document.pdf" /var/log/aquilon/aquilon-dlp.log

Log Levels

Configure log level using the RUST_LOG environment variable:

# Set log level
export RUST_LOG=info

# Available levels: error, warn, info, debug, trace

Level	Description
`error`	Only critical errors
`warn`	Errors and warnings
`info`	General operational messages
`debug`	Detailed debugging information
`trace`	Extremely verbose tracing

SIEM Integration

JSON Log Format

Configure JSON logs for SIEM ingestion using environment variables:

# Set log level and format
export RUST_LOG=info

# Logs are written to stdout in structured JSON format
# Redirect output as needed for your SIEM

The application uses the tracing crate which outputs structured JSON fields for easy parsing when configured appropriately in your init system.

osquery Fleet Management

Aquilon DLP integrates with osquery fleet management tools:

Fleet - kolide/fleet or fleetdm
Kolide - kolide.com
osquery directly - via distributed queries

Example distributed query:

<!--SETUP
/init-services.sh
-->
SELECT * FROM aquilon_dlp_alerts
WHERE severity IN ('critical', 'high')
AND timestamp > (strftime('%s', 'now') - 3600);
<!--ASSERT 
rows >= 0 
-->

Splunk Integration

Forward osquery results to Splunk:

Configure osquery logger to file
Use Splunk Universal Forwarder to ingest logs
Create dashboards for DLP alerts

Example Splunk query:

index=osquery sourcetype=osquery:results name=aquilon_dlp_alerts
| stats count by policy, severity

Elastic Stack Integration

Forward to Elasticsearch:

Configure osquery with Kafka or file logger
Use Filebeat/Logstash to ingest
Create Kibana dashboards

Alerting

osquery Scheduled Queries

Schedule regular alert checks:

{
  "schedule": {
    "dlp_critical_alerts": {
      "query": "SELECT * FROM aquilon_dlp_alerts WHERE severity = 'critical' AND triage_status = 'new'",
      "interval": 300
    }
  }
}

External Alerting

Integrate with external systems by:

Using osquery scheduled queries to export results
Configuring SIEM to forward alerts to PagerDuty/Slack
Triggering SOAR playbooks on critical alerts

Performance Metrics

System Resource Usage

Monitor Aquilon DLP resource consumption:

Memory usage: Check process memory
CPU usage: Monitor during active scanning
Disk I/O: Cache database writes

# macOS/Linux - find Aquilon DLP process
ps aux | grep aquilon

# Watch resource usage
top -p $(pgrep aquilon)

Operational Dashboards

Key Metrics to Track

Metric	Query	Alert Threshold
Critical alerts/hour	`COUNT WHERE severity=‘critical’`	>0
High alerts/hour	`COUNT WHERE severity=‘high’`	>10
New alerts needing triage	`COUNT WHERE triage_status=‘new’`	>50

Example Dashboard Queries

Alerts by policy:

<!--SETUP
/init-services.sh
-->
SELECT policy, COUNT(*) as count
FROM aquilon_dlp_alerts
GROUP BY policy
ORDER BY count DESC
LIMIT 5;
<!--ASSERT
rows >= 0
-->

Triage status summary:

<!--SETUP
/init-services.sh
-->
SELECT triage_status, COUNT(*) as count
FROM aquilon_dlp_alerts
GROUP BY triage_status;
<!--ASSERT 
rows >= 0 
-->

Health Checks

Verify Extension Loading

<!--SETUP
/init-services.sh
-->
SELECT * FROM osquery_extensions
WHERE name LIKE '%aquilon%';
<!--ASSERT 
rows >= 0 
-->

Verify Table Availability

<!--SETUP
/init-services.sh
-->
PRAGMA table_info(aquilon_dlp_alerts);
<!--ASSERT 
rows >= 0 
-->

Test Query

osqueryi --connect /var/osquery/osquery.sock 'SELECT COUNT(*) as alert_count FROM aquilon_dlp_alerts;'

Troubleshooting Monitoring

No Data in Tables

Verify extension is loaded:

<!--SETUP
/init-services.sh
-->
SELECT * FROM osquery_extensions;
<!--ASSERT 
rows >= 0
-->

Check osquery logs:
```
journalctl -u osqueryd -f
```
Verify configuration is loaded:
```
cat /etc/aquilon/config.toml
```

Stale Data

Check if files are being monitored (watch paths configured)
Verify cache isn’t returning old results
Check system time is correct

Performance Issues

Reduce log verbosity
Increase cache TTL
Adjust concurrent scan limits
Review excluded paths

See Configuration for performance tuning options.

Keyboard shortcuts