osquery: Ask Your Infrastructure Questions — and Actually Get Answers
Most systems hide what they’re doing behind layers of logs, daemons, and config files. osquery flips that. It turns your operating system into a queryable database — one where processes, users, open ports, and even kernel modules become rows in a table.
Need to find all running processes with a specific parent? Or all machines where /etc/shadow was modified in the last hour? With osquery, it’s a SELECT statement away.
It’s like running SQL against your fleet — and getting clear, structured answers.
What It Actually Does
Processes and users (SELECT * FROM processes WHERE name=’ssh’;)
Logged-in sessions (SELECT * FROM logged_in_users;)
Loaded kernel modules (SELECT * FROM kernel_modules;)
Installed packages (SELECT * FROM rpm_packages WHERE name LIKE ‘%openssl%’;)
File integrity monitoring (SELECT * FROM file_events WHERE action=’MODIFIED’;)
Scheduled queries and differential logs — perfect for incident detection
Cross-platform: works on Linux, macOS, and Windows
Daemon mode (osqueryd) and interactive mode (osqueryi) — depending on use case
Why People Use It
Security teams use it to hunt for persistence techniques, policy violations, or rogue software
IT ops use it to monitor configuration drift and patch compliance
SREs use it for real-time introspection and anomaly tracking
DFIR analysts use it to reconstruct activity on compromised hosts
Compliance auditors use it to generate structured reports without deploying heavyweight tools
Core Features at a Glance
| Capability | Real Use Case |
| Virtual tables | Pull live system data like a database |
| SQL query interface | Standard SELECT syntax — easy to onboard |
| File monitoring | Detect changes to sensitive files or directories |
| Scheduled queries | Run checks at regular intervals and log deltas |
| JSON log output | Integrate with SIEM, ELK, or cloud logging pipelines |
| Cross-platform support | Works on Linux, Windows, and macOS |
| TLS enrollment + config | Centralized management for fleets (via osquery fleet managers) |
| Extensible | Add custom tables or use community plugins |
Getting Started (Linux Example)
1. Install via package manager or build from source:
sudo apt install osquery
2. Launch the interactive shell:
sudo osqueryi
3. Try a few basic queries:
SELECT name, pid FROM processes WHERE name LIKE ‘%sshd%’;
SELECT * FROM users WHERE uid = 0;
SELECT * FROM listening_ports WHERE port > 1024;
4. For scheduled fleet monitoring, run as a daemon (osqueryd) and define your query packs.
What to Know Before You Rely on It
It’s a read-only interface — you can’t alter system state, only observe
Performance is good, but broad queries can spike CPU on large hosts
Not ideal for real-time alerting unless paired with a logging backend
Some tables are platform-specific — check documentation before building cross-platform queries
For large-scale deployments, use with a fleet manager like Fleet, Kolide, or Doorman
Final Thoughts
osquery is one of those tools that feels simple — until you realize how much it’s actually telling you. It gives teams real observability at the host level, without needing to bolt on extra sensors or agents.
If you’ve ever wanted to ask your systems what they’re doing — and get a clear, structured answer — this is the way to do it.
