Stack Overflow
Stack Overflow

Questions tagged [osquery]

osquery is an open-source, cross-platform endpoint security monitoring and system information tool. It is either run locally in an interactive command-line session, or is deployed remotely with scheduled queries that report to a central logging system of the user's choice. It has an SQL-based query interface that presents OS-level data as virtual SQL tables, for flexible and powerful relational-data requests.

Tagging Recommendation

Use the osquery tag for all osquery-related questions. If your question includes issues specific to a particular operating system platform, you can include a tag like windows, macos, or linux. osquery is an extensible tool for gathering OS-level system information; many development issues are as much related to the intricacies of platform APIs as they are to osquery itself.

If your question is more related to the SQL language and its various syntax, maybe the sql tag is also appropriate.

Other osquery Resources

osquery main site

osquery user and developer documentation

osquery community Slack chat

osquery's GitHub source code repository

78 questions
1
vote
1 answer

OsQuery not giving json or csv output in window

Osquery not giving JSON or CSV output in a window I have tried these, but unable to produce CSV or JSON output. osquery> --csv select * from time; osquery> --json select * from time; osquery> --csv 'select * from time'; osquery> select * from time…
Nafiis Mushtaq
  • 123
  • 7
1
vote
0 answers

Is it possible to configuring Kafka SASL authentication on the osquery agent?

I'm trying setup osquery logging as a Kafka producer w/ SASL-plain authentication. But not sure is it possible or not. According to this page https://osquery.readthedocs.io/en/stable/deployment/logging/#logging-as-a-kafka-producer There are 3 Kafka…
user6060858
  • 11
  • 1
1
vote
1 answer

osquery suid_bin usage to list all system suid bit set

I have to list all suid set on my server with osquery, I assume that suid_bin should give me all suid set, but it seems that it misses some of them. I'm using it like this: Select * from suid_bin But if I do a manual check on /usr for example I…
Eiga
  • 11
  • 4
1
vote
1 answer

How can I separate logs based on scheduled events in the osquery.conf file?

Is it possible to break out the results log for osquery? Currently, every query is being lumped into osqueryd.results.log but I'd like to break out logging based on scheduled events. How can I achieve this? Example: { "options": { …
rcgelber
  • 11
  • 1
1
vote
1 answer

Does osquery inotify install watcher on directory or files

I am using osquery to monitor files and folders to get events on any operation on those files. There is a specific syntax for osquery configuration: "/etc/": watches the entire directory at a depth of 1. "/etc/%": watches the entire directory at a…
prateeknischal
  • 752
  • 4
  • 12
1
vote
1 answer

Unable to uninstall program from WiX created MSI

After installing osquery with an MSI made with WiXToolSet (Using the script provided by osquery), I tried uninstalling it which failed. Also it didn't show as a program in the appwiz. (Link to the script -…
AgentsOfShield
  • 11
  • 3
1
vote
1 answer

Called read on non-open pipe

I was performing some osquery and i got the the exception Code import osquery inst = osquery.SpawnInstance("C:\\ProgramData\\osquery\\osqueryi.exe") inst.open() cursor = inst.client cursor.query("select name, version from programs;") Complete…
tbhaxor
  • 1,659
  • 2
  • 13
  • 43
1
vote
1 answer

osquery - warnings when using osqueryi and logging disabled

When using the osqueryi interactive shell for osquery I'm running into an issue where a WARNING is displayed even though logging is supposed to be disabled. Is this a bug? Docs explain the following: --logger_min_status The minimum level for…
Devin
  • 1,011
  • 2
  • 14
  • 30
1
vote
3 answers

OSquery - How to preload data to find infected files

I have to 'take over' some already infected windows workstations and servers during a cyber exercise. Plan is to setup eg. a clean windows 7 workstations with latest patches ... then update the infected workstation 7 to latest patches ... load…
Pat
  • 21
  • 1
  • 3
1
vote
0 answers

OSquery can't load extension

I have created an osquery extension using C++ and OSquery SDK 3.3.0 On Windows, from command line all runs perfect. osqueryd.exe loads my extension and all works fine. In task manager I can see osqueryd.exe and my extensión running. When I try to…
J19
  • 667
  • 2
  • 10
  • 27
1
vote
1 answer

osquery on windows not taking flagfile

I am trying to build a PoC of osquery on Windows boxes and I just cannot get osqueryd.exe (or osqueryi.exe) get to use the flagfile. I think there must be something I have missed in documentation or whatever. Steps I tried: Validate the actual…
Tom Frost
  • 31
  • 7
1
vote
1 answer

osquery-python extension causing osqueryi errors

I have a newbie question about creating osquery extensions using osquery-python. I Created a small extension that gets some additional RPM info from my linux system. Following the instructions in the docs, I added the path to the extension in…
GSP
  • 93
  • 2
  • 7
1
vote
1 answer

How to list some files with SQL select?

On Ubuntu 14.04 LTS running this osqueryi command: osquery> SELECT * FROM file LIMIT 10; returns no rows. Other tables like users are populated. Do I need to "activate" something to populate the file table? Is there another table or some thing like…
Peter Krauss
  • 13,174
  • 24
  • 167
  • 304
0
votes
0 answers

On mac os Mojave osquery not capturing events in osquery config plugin or config path

On mac os Mojave when try to capture process, file and network events using config plugin and logger plugin events lost. Also when try to capture events using config path (osquery.conf file) and logger plugin events lost. As soon as osquery service…
User0987
  • 91
  • 1
  • 6
0
votes
0 answers

firefox_addons query on Osquery

When I input below command in osquery, nothing comes up. But I have firefox installed with bunch of addons. I am using Windows 11. I tried with administrator privilege but it's not working. SELECT * FROM firefox_addons; I have also used the…
kush_1244
  • 39
  • 3
1
2
3 4 5 6