Stack Overflow
Stack Overflow

Questions tagged [osquery]

osquery is an open-source, cross-platform endpoint security monitoring and system information tool. It is either run locally in an interactive command-line session, or is deployed remotely with scheduled queries that report to a central logging system of the user's choice. It has an SQL-based query interface that presents OS-level data as virtual SQL tables, for flexible and powerful relational-data requests.

Tagging Recommendation

Use the osquery tag for all osquery-related questions. If your question includes issues specific to a particular operating system platform, you can include a tag like windows, macos, or linux. osquery is an extensible tool for gathering OS-level system information; many development issues are as much related to the intricacies of platform APIs as they are to osquery itself.

If your question is more related to the SQL language and its various syntax, maybe the sql tag is also appropriate.

Other osquery Resources

osquery main site

osquery user and developer documentation

osquery community Slack chat

osquery's GitHub source code repository

78 questions
4
votes
2 answers

How to use "%" character in sql query on linux shell?

I am trying to pull all the jdk packages installed on set of hosts by sending a sql select statement to osquery on linux shell via pssh . Here is the query: pssh -h myhosts -i 'echo "SELECT name FROM rpm_packages where name like '%jdk%';"| osqueryi…
chetan honnavile
  • 398
  • 1
  • 6
  • 19
4
votes
1 answer

How to execute a SQL-query to osquery remotely?

I was able to find that osquery can work in interactive mode (osqueryi) and in daemon mode (osqueryd), in which it will periodically execute SQL queries in the background on a localhost. How about remote execution of SQL queries - for example, REST…
mgramin
  • 431
  • 8
  • 19
3
votes
3 answers

How to Convert Chrome Browser History Sqlite Timestamps with Osquery

As I understand, the Chrome browser uses the WebKit time format for timestamps within the browser history database. WebKit time is expressed as milliseconds since January, 1601. I've found numerous articles that seemingly have the answer to my…
Dylan Buehler
  • 71
  • 1
  • 6
3
votes
2 answers

Loop through SQL query using variable from another table

I have two tables file & users, I want to see the file info for each user for C:\Users\%USERNAME%\Documents So e.g. this would get the info from 'example' documents: SELECT * FROM file WHERE path LIKE 'C:\Users\example\Documents\%%'; But the…
asparamancer
  • 33
  • 3
3
votes
2 answers

How to save output of SQL query fired from Osquery to a file

I have installed Osquery utility on my machine. When I fire an SQL command, it gives output to STDOUT. Is there any way to redirect that output to a file? $ sudo osqueryi I0314 10:57:51.644351 3958 database.cpp:563] Checking database version for…
gkr2d2
  • 693
  • 2
  • 9
  • 20
2
votes
1 answer

A non-auto load osquery logger plug-in

Can I have a non-auto load osquery plugin. i.e. A plugin executable which will start on it's own and not by osqueryd and still connect to osqueryd and register for a logger plugin? Or is it mandatory that osqueryd itself launches the plugin…
Baab
  • 179
  • 6
2
votes
1 answer

Why OSQuery does not include "Computer" event information when reading Windows EventLogs?

I am trying to use OSQuery in an environment with WEF/WEC and what I am trying to do is to collect all the Windows Events that are stored via subscriptions in the WEC servers. My problem is that when I gather the windows events via OSQuery I do not…
Juan Alvarez Gonzalez
  • 23
  • 5
2
votes
1 answer

How to view osquery schema descriptions?

I was curious about some of the available tables I can see when I run osqueryi.exe. I have these tables. osquery> .tables => appcompat_shims => arp_cache => authenticode => autoexec => bitlocker_info => carbon_black_info => carves =>…
John Drinane
  • 1,279
  • 2
  • 14
  • 25
1
vote
1 answer

Osquery from a container?

Is it possible to get information about the underlying host node from a container with osquery? What I'm thinking is mounting in (via networking? or via a volume mount?) osqueryd and then having the client (and queries) inside of a container. Is…
aronchick
  • 6,786
  • 9
  • 48
  • 75
1
vote
1 answer

Custom Logger plugin not receiving the logs from osquery

Custom logger plugin is written using osquery-go. When the osquery daemon is auto-loaded with this extension, then the logs are received by the custom logger plugin. But if the osqueryd is running as a daemon and custom logger plugin is run…
cshell
  • 13
  • 3
1
vote
1 answer

How to fetch information from process_events and file_events tables from osquery using golang?

I am new to osquery. I want to fetch real-time OS information using osquery (from these two tables: process_events and file_events). I understood that we could retrieve this information using osquery in daemon mode. I was even able to do the…
User0987
  • 91
  • 1
  • 6
1
vote
1 answer

How can I find the SID for the user that installed OSQuery on a Windows machine?

It turns out that OSQuery cannot query the CURRENT_USER hives. As a workaround, it is recommended to use a specific user's SID and then query the users table or HKEY_USERS. But I can't find any examples of someone actually implementing this…
Andrew Zick
  • 582
  • 7
  • 23
1
vote
1 answer

Select all files in a folder and subfolders with OSQuery

Shouldn’t it be possible to select a files in a folder and its subfolders with the query in OSQuery: SELECT path FROM file WHERE directory LIKE '/Users/%'; That returns no results at all. What is missing?
Mattias Baecklund
  • 11
  • 2
1
vote
1 answer

Error: failed to find any PEM data in certificate input when start to run fleet server

certificate.cer When I use cat command to read certificate.cer in my Linux RH server. It come out with those unknown symbol as mentioned in attached picture instead of human readable language such as: -----BEGIN…
IamNewbie
  • 17
  • 1
  • 6
1
vote
1 answer

Osquery takes too much space

I got some osquery on mac os and there is a file /private/var/log/osquery/osquery-output.log. This file takes almost 16 Gb of disk space. What is it? Can i delete it safely?
phrost1
  • 23
  • 2
1
2 3 4 5 6