0

I'm very new to OSQuery and i'd like to execute a query (e.g. SELECT * FROM last) every 5 minutes. Is there any chance, to define a script, which executes this routine in within a crontab or something else like this?

Probably it should be enough to execute the script with the query as parameter, but there is nothing in the documentation, so i guess, it won't be supported yet.

I checked their Community and also their FAQ but haven't found something relating to my problem.

OSQuery is currently on the latest version (1.7.3), self compiled, running on Ubuntu Server, 64 bit 15.10.

If you need more information to help me, just let me know.

Filburt
  • 17,626
  • 12
  • 64
  • 115
Tyralcori
  • 1,079
  • 13
  • 33

3 Answers3

3

The recommended method is using scheduled queries. You create a 'pack' like one of these GitHub link which includes the queries and frequencies. Then update the osqueryd config to include the pack.

Alex M
  • 527
  • 3
  • 13
  • I am an osquery core developer... This is definitely the recommended way to run a query on an interval. – Zach Apr 10 '18 at 18:36
1

After even more documentation and different sites, i have found a pretty cool snippet, which allows, to send the query as parameter, by calling the osqueryi process.

/path/to/osqueryi --json "YOUR QUERY"

And this returns the result in your terminal - JSON Format. So it's pretty easy to write a script (any language), execute the snippet above and parse the content. This script can be a cron as well.

Tyralcori
  • 1,079
  • 13
  • 33
0

Maybe you could write a script (or a C program) to perform your query.

And then use the cron to run your program every 5 minutes.

chen wang
  • 37
  • 5