osquery | SQL powered operating system instrumentation monitoring | Monitoring library

Generally not.

osquery itself aims to not change anything in the filesystem. The main distribution has no mechanisms that would do that. (Except, of course, it's local state files)

osquery extensions, however, can be written to do whatever the extension author desires. Further, osquery supports the idea of "writeable tables" which extensions may use to present a simpler interface.

Check out https://blog.trailofbits.com/2018/05/30/manage-your-fleets-firewalls-with-osquery/ for a writable table example.

One can't filter out multi-value fields before stats because it's stats that makes them multi-value. Try filtering out the undesired IP addresses before joining the events.

Are you looking for the deb_packages table?

apps is macOS specific, as it enumerates the macOS Applications.

What you're seeing is a direct consequence of array flattening as described in this answer. If you're looking for a simple solution, simply apply the nested mapping, reindex, and your bool-must query will work 'correctly.'

I'd recommend converting at least products to the nested data type; perhaps even the parent, vendors. Bear in mind, though, that multiple levels of nestedness may render your queries quite verbose and you may find yourself reversing the nestedness when trying to determine top-level counts so it's worthwhile to consider whether the index's basic building block can perhaps be a product whose vendor will be an attribute -- instead of listing multiple products under a single vendor.

The best way to debug this kind of issue is to test out your configuration by running osqueryd manually, rather than as a service. This will let you see the logs and get your settings correct before setting up the service.

You'll want to use the following command in Powershell:

By itself, osquery does very little. It can be configured to run a variety of queries to examine system state. Depending on configuration, these results might be stored locally or sent to a log aggregator. The configuration can either be from a local file, or from a remote server.

It sounds like you have an osquery install that is configured to log to local disk, but nothing is collecting those results.

osquery itself does not do anything with that file. So you can certainly truncate it. (Just deleting it will likely leave an unlinked file). But that file implies a misconfigured setup.

Should it be logging to local disk? What consumes those logs? Etc.

It looks like you already started osqueryi in shell mode, so it is not parsing the flag you are trying to pass.

What you are looking for is probably (from your cmd.exe shell):

You aren't getting this error from your shell but from the query parser, and it's not actually caused by the % character, but to the ' that immediately precedes it. Look at where you have quotes:

You tagged osquery, so... Perhaps as an alternative, don't run osqueryi that way, it's not meant to be used like that.

The general recommendation is to use osqueryd with the configuration as you'd like it. Or, if you really want to a single invocation of osqueryi you can invoke it with a query from the command line, outputting in json: