Skip to content

users introduction

Jump to bottom Edit New page
marpaia edited this page Sep 30, 2014 · 15 revisions

Using osqueryi

osqueryi is the interactive query console which comes with osquery. If you've ever used a SQL database, you're probably familiar with this kind of workflow.

Getting help

There are a few non-SQL administration commands which may be useful to you as well. Note that all non-SQL commands start with the "." character. For example, to list all tables, type ".tables". To get information on other commands, type ".help". To exit the console, use ".exit". Consider the following example:

osquery> .tables
  => alf
  => alf_exceptions
  => alf_explicit_auths
  => alf_services
  => apps
  => ca_certs
  => etc_hosts
  => interface_addresses
  => interface_details
  => kextstat
  => last
  => launchd
  => listening_ports
  => nvram
  => osx_version
  => processes
  => routes
  => time
osquery> .help
.backup ?DB? FILE      Backup DB (default "main") to FILE
.bail ON|OFF           Stop after hitting an error.  Default OFF
.clone NEWDB           Clone data into NEWDB from the existing database
.databases             List names and files of attached databases
.dump ?TABLE? ...      Dump the database in an SQL text format
                         If TABLE specified, only dump tables matching
                         LIKE pattern TABLE.
.echo ON|OFF           Turn command echo on or off
.exit                  Exit this program
.explain ?ON|OFF?      Turn output mode suitable for EXPLAIN on or off.
                         With no args, it turns EXPLAIN on.
.header(s) ON|OFF      Turn display of headers on or off
.help                  Show this message
.import FILE TABLE     Import data from FILE into TABLE
.indices ?TABLE?       Show names of all indices
                         If TABLE specified, only show indices for tables
                         matching LIKE pattern TABLE.
.load FILE ?ENTRY?     Load an extension library
.log FILE|off          Turn logging on or off.  FILE can be stderr/stdout
.mode MODE ?TABLE?     Set output mode where MODE is one of:
                         csv      Comma-separated values
                         column   Left-aligned columns.  (See .width)
                         html     HTML <table> code
                         insert   SQL insert statements for TABLE
                         line     One value per line
                         list     Values delimited by .separator string
                         pretty   Pretty printed SQL results
                         tabs     Tab-separated values
                         tcl      TCL list elements
.nullvalue STRING      Use STRING in place of NULL values
.open ?FILENAME?       Close existing database and reopen FILENAME
.output FILENAME       Send output to FILENAME
.output stdout         Send output to the screen
.print STRING...       Print literal STRING
.prompt MAIN CONTINUE  Replace the standard prompts
.quit                  Exit this program
.read FILENAME         Execute SQL in FILENAME
.restore ?DB? FILE     Restore content of DB (default "main") from FILE
.save FILE             Write in-memory database into FILE
.schema ?TABLE?        Show the CREATE statements
                         If TABLE specified, only show tables matching
                         LIKE pattern TABLE.
.separator STRING      Change separator used by output mode and .import
.show                  Show the current values for various settings
.stats ON|OFF          Turn stats on or off
.tables ?TABLE?        List names of tables
                         If TABLE specified, only list tables matching
                         LIKE pattern TABLE.
.timeout MS            Try opening locked tables for MS milliseconds
.trace FILE|off        Output each SQL statement as it is run
.vfsname ?AUX?         Print the name of the VFS stack
.width NUM1 NUM2 ...   Set column widths for "column" mode
.timer ON|OFF          Turn the CPU timer measurement on or off

osquery> .exit
$

Executing SQL queries

Once you've opened the shell, feel free to run arbitrary SQL commands using osquery tables. All major SQL functionality is supported. For more information on SQL syntax, see the documentation on SQL as understood by SQLite.

Consider the following query:

osquery> SELECT DISTINCT
    ...>   process.name,
    ...>   listening.port,
    ...>   process.pid
    ...> FROM processes AS process
    ...> JOIN listening_ports AS listening
    ...> ON process.pid = listening.pid
    ...> WHERE listening.address = '0.0.0.0';

+----------+-------+-------+
| name     | port  | pid   |
+----------+-------+-------+
| Spotify  | 57621 | 18666 |
| ARDAgent | 3283  | 482   |
+----------+-------+-------+
osquery>

Using osqueryd

osqueryd is the host monitoring daemon which is included with osquery. Running osqueryd --help will surface some interesting configurable options. As of October 1, 2014, the configurable options are as follows:

$ osqueryd --help

  osqueryd
    --help, -h            Print help and usage information

    --config_retriever    The config plugin to use (ex: filesystem, http)
                            Default: filesystem

    --config_path         If using the filesystem config plugin, the path where
                          your osquery JSON config file can be found
                            Default: /var/osquery/osquery.conf

    --log_receiver        The logger plugin to use (ex: filesystem, scribe)
                            Default: filesystem

    --log_dir             The directory which you would like to store your
                          output logs
                            Default: /var/log/osquery/

    -v                    Increase output verbosity
                            Example: -v=3

For detailed information on how you should configure options like log_dir and log_receiver, check out the logging options guide.

For detailed information on how you should configure options like config_path and config_retriever, check out the config options guide.

Add a custom footer

http://osquery.rtfd.org

Clone this wiki locally