Stack Overflow
Stack Overflow

Questions tagged [osquery]

osquery is an open-source, cross-platform endpoint security monitoring and system information tool. It is either run locally in an interactive command-line session, or is deployed remotely with scheduled queries that report to a central logging system of the user's choice. It has an SQL-based query interface that presents OS-level data as virtual SQL tables, for flexible and powerful relational-data requests.

Tagging Recommendation

Use the osquery tag for all osquery-related questions. If your question includes issues specific to a particular operating system platform, you can include a tag like windows, macos, or linux. osquery is an extensible tool for gathering OS-level system information; many development issues are as much related to the intricacies of platform APIs as they are to osquery itself.

If your question is more related to the SQL language and its various syntax, maybe the sql tag is also appropriate.

Other osquery Resources

osquery main site

osquery user and developer documentation

osquery community Slack chat

osquery's GitHub source code repository

78 questions
0
votes
1 answer

why osquery do not use linux os name /etc/os-release but that from

I understand that it makes sense to use /etc/redhat-release or /etc/gentoo-release to identify os platform (aka the origin of the linux) but why not use os name from /etc/os-release? which will more accurately describe the exact linux os name (e.g.…
jun shen
  • 53
  • 1
  • 4
0
votes
0 answers

osquery file events giving events for un-monitored directory on Mac os

Trying to capture file events on mac os OS: Monterey osquery table used: es_process_file_events Flag used: --disable_endpointsecurity_fim=false I am monitoring two directories /tmp and /usr but am not getting any file event from this folder…
User0987
  • 91
  • 1
  • 6
0
votes
1 answer

How to get the IP address with Osquery?

i am new with Osquery. I have a virtual machine on GCP where i have developed my Web-app. I want to find out with Osquery the IP address that connects to my virtual machine/ webapp, especially the HTTP package . Thanks! No result founded, i have…
Andrea
  • 1
  • 1
0
votes
0 answers

osquery not giving connection 'close' event in socket_events

I have configured osquery to query table socket_events. When i use curl -k "https://www.google.com" , i get the action:"connect" event. But once the curl command ends, the 'Close' event is not seen. In osquery.conf have configured to query…
cshell
  • 13
  • 3
0
votes
0 answers

pid from file_events table in osquery

The osquery file_events table does not contain the pid. I would like to get the file activites along with pid of process doing that file activity like rename/delete etc This is for Linux versions where process_file_events is not available. how can…
Baab
  • 179
  • 6
0
votes
0 answers

How to configure osquery with auditd

Who has expertise on how to work with osquery (or maybe you solved this problem): Based on articles like this one - https://blog.palantir.com/auditing-with-osquery-part-two-configuration-and-implementation-87a8bba0ef48 I understand osquery can be…
Happy Cyclops
  • 1
0
votes
0 answers

osqueryd: Maximum sustainable CPU utilization limit exceeded: 12

osqueryd workers stopping and say Maximum sustainable CPU utilization limit exceeded: 12 I have got this issue on Ubuntu 20.04 How i can resolved Maximum sustainable CPU utilization limit exceeded error.
Sandip Suryawanshi
  • 1
0
votes
1 answer

Creating extension failed: waiting for unix socket to be available: context deadline exceeded

When i call the funciton osquery.NewExtensionManagerServer i get error: Waiting for unix socket to be available /var/osquery/oq.em context deadline exceeded   i am on linux RHEL 8.2. Haven't seen on other linux version. What might be the issue. any…
Sandip Suryawanshi
  • 1
0
votes
0 answers

How to start osquery without system reboot when auditd is disabled?

I am trying to catch OSquery process_events(using audit). I am stopping and disabling auditd as per the OSquery documentation and starting osqueryd after that. But I am not getting a logger callback. Only after a system reboot  I am getting logger…
User0987
  • 91
  • 1
  • 6
0
votes
0 answers

Osquery Not able to run differential loggin on packs

When running scheduled queries from packs the results are as if i am running the queries in snapshot mode i am not able to capture differentials from queries coming from pack files. I am not sure if this is a bug or a feature. for example in my…
ala zegnani
  • 1
  • 1
0
votes
0 answers

Capturing process exits in osquery

On linux, i am using process_events table and do get the logs when a process is executed. But don't get any notificaiton when the process exits. I would like to track both process start and exits. is there any other table where i can get this ? any…
Baab
  • 179
  • 6
0
votes
0 answers

Not able to capture file events with osquery process_file_events

i was sucesful to capture file activites with file_events. But could not make the process_file_events work properly. After some file activities in monitored directory could not see any event coming to my plugin. For same plugin with same conf file…
Baab
  • 179
  • 6
0
votes
1 answer

can't able to connect to osquery daemon using python

I am trying to use evented tables of osquery using python but I am getting an exception. How can I use evented tables. import osquery if __name__=="__main__": instance= osquery.ExtensionClient('\\.\pipe\osquery.em') instance.open() while…
Vishal
  • 1
  • 1
0
votes
1 answer

Fetching information using osquery from C++

I want to retrieve some OS information using osquery through a C++ client. i have seen python binding for the same but doesnt see any sample in c++ to use osquery. any idea how this can be done? i don't want to extend the osquery functionality hence…
Baab
  • 179
  • 6
0
votes
1 answer

Not able to retrive file events info in osquery-python

I have a task to write a python program to retrive file and process information using osquery while program is running and we perform any operation on file at background. I have written the below code but it does'nt show any output. import…
Vishal
  • 1
  • 1
1 2
3
4 5 6