i am trying to use osquery sdk on Windows. Does it has any dll which can be loaded in my process. It's not very clear from the documentation. Any pointers will help.
Asked
Active
Viewed 306 times
1 Answers
0
osquery is generally meant to be used as a daemon (or service), which collects data. This data can either be logged locally, or sent to a remote server.
osquery supports extensions. These extensions use the osquery SDK. osquery also supports some interaction over a thrift socket, this can also use the SDK.
osquery is generally not embedded.
seph
- 813
- 6
- 16
-
Thank you. the documentation doesn't give any clue of how to write the client. i want to build a client which will require osquery. i consider shipping the osquery binaries and using the osqueryd through my client . how to use the osqeuryd. there doesnnt seem to be any example around this or am i missing something . my client would be in C++ . – Baab May 17 '21 at 13:06
-
Designing cross-process communication is a bit out of scope for stackoverflow. So, this is pretty truncated. If you were running osquery as a daemon, you could communicate with it over the thrift socket. Thrift is thrift. You don't strictly need an SDK, just the thrift definitions. This is generally recommended. You could ingest osquery logs. They're written in json. You could shell out to osqueryi, and parse the json output. – seph May 18 '21 at 16:39