EN
ENNA

Getting Started Guide

How to Install and Use osquery

This guide covers installing osquery and using SQL queries to inspect your system's processes, network connections, users, and security state.

Prerequisites

  • -Linux, macOS, or Windows
Official Documentation
1

Install osquery

Install osquery from the official packages.

macOS

brew install osquery

Debian/Ubuntu

sudo apt install osquery

Launch interactive shell

osqueryi
2

Your First Queries

Query your system like a database. Each table represents a different aspect of the OS.

Running processes

SELECT name, pid, path, cmdline FROM processes ORDER BY start_time DESC LIMIT 20;

Listening ports

SELECT p.name, l.port, l.address, l.protocol FROM listening_ports l JOIN processes p ON l.pid = p.pid;

Logged-in users

SELECT user, host, time FROM logged_in_users;
3

Security Queries

Queries specifically useful for security monitoring and incident response.

Find processes running from /tmp

SELECT name, path, pid FROM processes WHERE path LIKE '/tmp/%' OR path LIKE '/var/tmp/%';

Check for crypto miners

SELECT name, path, cmdline FROM processes WHERE cmdline LIKE '%stratum%' OR cmdline LIKE '%minerd%' OR name LIKE '%xmrig%';

Recently modified files in sensitive dirs

SELECT path, mtime, size FROM file WHERE directory IN ('/etc/cron.d', '/etc/cron.daily') AND mtime > (strftime('%s','now') - 86400);
4

Network Investigation

Query network connections, DNS, and ARP tables.

Active connections

SELECT p.name, p.pid, s.remote_address, s.remote_port, s.state FROM process_open_sockets s JOIN processes p ON s.pid = p.pid WHERE s.remote_port != 0 AND s.state = 'ESTABLISHED';

ARP table

SELECT * FROM arp_cache;

Note: The process_open_sockets + processes join is one of the most useful queries for incident response - it shows you exactly which process is talking to which remote address.

5

Schedule Queries (Daemon Mode)

Run osquery as a daemon that executes queries on a schedule and logs the results.

Start daemon

sudo osqueryd --config_path /etc/osquery/osquery.conf

Example config

# /etc/osquery/osquery.conf:
# {
#   "schedule": {
#     "suspicious_processes": {
#       "query": "SELECT * FROM processes WHERE path LIKE '/tmp/%'",
#       "interval": 300
#     }
#   }
# }

Note: In daemon mode, osquery runs scheduled queries and logs differential results (only new/changed rows). This is how it's used for continuous endpoint monitoring at scale.

Back to osqueryFull Documentation