osquery | SQL powered operating system instrumentation monitoring | Monitoring library
kandi X-RAY | osquery Summary
kandi X-RAY | osquery Summary
osquery exposes an operating system as a high-performance relational database. This allows you to write SQL-based queries to explore operating system data. With osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events or file hashes.
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of osquery
osquery Key Features
osquery Examples and Code Snippets
Community Discussions
Trending Discussions on osquery
QUESTION
I have a function which is supposed to grab a query from a remote server and run it on OsQuery. I have been able to configure it so that the data is sent from the remote server and is received in the kwargs data structure.
When I run print(kwargs)
it shows a long dict, in it I have a field called 'osquery_query'
which I'd like to extract and print out .
The output looks like this:
...ANSWER
Answered 2022-Mar-02 at 10:23To get a value from nested dictionaries or other nested datastructures, you need to index each level separately, like so:
QUESTION
From what I read osquery is used for querying / reading the system information.
By any chance it has facility to modify the system state like killing the process or deleting a registry key ??
I am using osqueryi commands like select * form users
before diving in programatically.
ANSWER
Answered 2021-Apr-26 at 14:01Generally not.
osquery itself aims to not change anything in the filesystem. The main distribution has no mechanisms that would do that. (Except, of course, it's local state files)
osquery extensions, however, can be written to do whatever the extension author desires. Further, osquery supports the idea of "writeable tables" which extensions may use to present a simpler interface.
Check out https://blog.trailofbits.com/2018/05/30/manage-your-fleets-firewalls-with-osquery/ for a writable table example.
QUESTION
I have some events (2 different sourcetype—process_events and socket_events) that look something like this:
...ANSWER
Answered 2021-Apr-15 at 21:01One can't filter out multi-value fields before stats
because it's stats
that makes them multi-value. Try filtering out the undesired IP addresses before joining the events.
QUESTION
I'm looking to generate lists of apt package versions for specific packages, like sudo,ssh, etc. OSQuery seems to have an option to generate this with rpm_packages however I can find no mention of apt_packages.
I don't mean apt_sources, and the apps table appears to be a MacOS only thing.
I might be just missing a table listing versions of binaries.
...ANSWER
Answered 2021-Feb-03 at 16:45Are you looking for the deb_packages
table?
apps
is macOS specific, as it enumerates the macOS Applications.
QUESTION
First of all, I'm very new to Elasticsearch. I'm using the python library to run queries.
I have documents with lists embedded inside other lists, for example:
...ANSWER
Answered 2020-Oct-29 at 23:06What you're seeing is a direct consequence of array flattening as described in this answer. If you're looking for a simple solution, simply apply the nested
mapping, reindex, and your bool-must query will work 'correctly.'
I'd recommend converting at least products
to the nested
data type; perhaps even the parent, vendors
. Bear in mind, though, that multiple levels of nestedness may render your queries quite verbose and you may find yourself reversing the nestedness when trying to determine top-level counts so it's worthwhile to consider whether the index's basic building block can perhaps be a product
whose vendor
will be an attribute -- instead of listing multiple products under a single vendor.
QUESTION
I try to connect osquery in window server to kolide fleet. The osqueryd service created successfully but nothing appear on my kolide fleet dashboard.
I created the service through:
...ANSWER
Answered 2020-Oct-01 at 22:07The best way to debug this kind of issue is to test out your configuration by running osqueryd manually, rather than as a service. This will let you see the logs and get your settings correct before setting up the service.
You'll want to use the following command in Powershell:
QUESTION
I got some osquery on mac os and there is a file /private/var/log/osquery/osquery-output.log. This file takes almost 16 Gb of disk space. What is it? Can i delete it safely?
...ANSWER
Answered 2020-Sep-29 at 13:36By itself, osquery
does very little. It can be configured to run a variety of queries to examine system state. Depending on configuration, these results might be stored locally or sent to a log aggregator. The configuration can either be from a local file, or from a remote server.
It sounds like you have an osquery install that is configured to log to local disk, but nothing is collecting those results.
osquery itself does not do anything with that file. So you can certainly truncate it. (Just deleting it will likely leave an unlinked file). But that file implies a misconfigured setup.
Should it be logging to local disk? What consumes those logs? Etc.
QUESTION
Osquery not giving JSON or CSV output in a window I have tried these, but unable to produce CSV or JSON output.
...ANSWER
Answered 2020-Jul-15 at 17:16It looks like you already started osqueryi
in shell mode, so it is not parsing the flag you are trying to pass.
What you are looking for is probably (from your cmd.exe shell):
QUESTION
I am trying to pull all the jdk packages installed on set of hosts by sending a sql select statement to osquery on linux shell via pssh .
Here is the query:
pssh -h myhosts -i 'echo "SELECT name FROM rpm_packages where name like '%jdk%';"| osqueryi --json'
but usage of "%" is giving me below error.
Error: near line 1: near "%": syntax error
I tried to escape % ,but the error remains same. Any ideas how to overcome this error?
...ANSWER
Answered 2020-May-16 at 04:54You aren't getting this error from your shell but from the query parser, and it's not actually caused by the %
character, but to the '
that immediately precedes it. Look at where you have quotes:
QUESTION
I need to run a process called osqueryi
before I run my app, and when shutting down, killing that process. (It is kind of a daemon which can be queried. I need it to be running in order for my app to work).
ANSWER
Answered 2020-Apr-15 at 02:12You tagged osquery, so... Perhaps as an alternative, don't run osqueryi
that way, it's not meant to be used like that.
The general recommendation is to use osqueryd
with the configuration as you'd like it. Or, if you really want to a single invocation of osqueryi
you can invoke it with a query from the command line, outputting in json:
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install osquery
Building osquery from source is encouraged! Check out our build guide. Also check out our contributing guide and join the community on Slack.
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page