-
Notifications
You must be signed in to change notification settings - Fork 0
internal deployment guide
Deployment of osquery should be straightforward. If you have any problems along the way, please create a GitHub issue.
osquery was built with production infrastructure in mind. Code is rigorously benchmarked and tested for memory leaks. Expect a small footprint.
osquery uses underlying systems APIs for systems operations. For example, the kextstat table in OS X uses the same underlying core APIs as the kextstat command. During the lifecycle of a long-running monitoring daemon, the benefits of this compound over time.
Whenever possible, osquery uses operating system streams to reactively perform actions. For example, if you wanted to know when a particular file changed, you could periodically poll for it's contents, or, you could use inotify to tell you when the file changed. osquery includes an operating system publish-subscribe event framework that the core product uses to take advantage of these performance wins.
osquery has a plugin architecture that lets you choose how configuration management and logging are performed. This allows you to deploy osquery both in corporate and production environments as well as on OSX and Linux assets.
Being an open source product, osquery is completely customizable.
See our distribution guide.