OSQuery Integration

SQL-based system inspection.

Overview

OSQuery lets you query system information using SQL syntax.

Usage

Select an agent in the dashboard
Navigate to Query tab
Enter SQL query
Execute and view results

Common Queries

Installed Software

sql

-- Debian/Ubuntu
SELECT name, version FROM deb_packages;

-- RHEL/CentOS
SELECT name, version FROM rpm_packages;

-- Windows
SELECT name, version FROM programs;

-- macOS
SELECT name, bundle_version FROM apps;

Running Processes

sql

SELECT pid, name, cmdline, cpu_time, resident_size
FROM processes
ORDER BY cpu_time DESC
LIMIT 10;

Open Network Connections

sql

SELECT local_address, local_port, remote_address, remote_port, state
FROM process_open_sockets
WHERE state = 'ESTABLISHED';

Logged In Users

sql

SELECT user, host, time, tty
FROM logged_in_users;

System Information

sql

SELECT hostname, cpu_brand, physical_memory
FROM system_info;

Disk Space

sql

SELECT path, type, blocks_size * blocks_available / 1024 / 1024 AS free_mb
FROM mounts;

Scheduled Queries

Run queries on a schedule:

Navigate to Admin → Scheduled Queries
Create new query
Set schedule (cron format)
Select target agents

OSQuery Integration ​

Overview ​

Usage ​

Common Queries ​

Installed Software ​

Running Processes ​

Open Network Connections ​

Logged In Users ​

System Information ​

Disk Space ​

Scheduled Queries ​

OSQuery Integration

Overview

Usage

Common Queries

Installed Software

Running Processes

Open Network Connections

Logged In Users

System Information

Disk Space

Scheduled Queries