Process and socket auditing with osquery Linux process auditing Linux socket auditing Troubleshooting Auditing on Linux User events macOS process auditing osquery events optim...

Apple macOS Syslog Configuration Usage Linux Syslog Configuration rsyslog versions < 7 rsyslog versions >= 7 All versions Other configuration Configuring syslog-ng Usage ...

Writing a test Building a test All commits to osquery should be well unit-tested. Having tests is useful for many reasons. In addition to the subtle advantage of being able to a...

Example: Filesystem config Using the plugin For details on how osqueryd schedules queries and loads information from a config, see the configuration deployment guide. You may...

Installing osquery Running osquery A 'universal' Linux package can be created for each package distribution system. These packages contain the osquery daemon, shell, example con...

SQL as understood by osquery Shell help Your first query Tables with arguments SQL additions Table and column name deprecations Everything in SQL! It may seem weird at firs...

Flagfile Configuration control flags Daemon control flags Backing storage control flags Extensions control flags Remote settings flags (optional) Daemon runtime control flags...

Example FIM Config Sample Event Output Tuning Linux inotify limits Example sysctl.conf modifications File Accesses Process File Accesses on macOS File integrity monitoring (...

Configuration components Query Packs Discovery queries Packs FAQs Configuration specification Options Schedule Packs File Paths YARA Prometheus Views EC2 Decorator quer...

Logger plugins Status logs Results logs Differential logs Snapshot logs Logging as a Kafka producer. Configuration Schedule results Event format Snapshot format Batch form...