| disable_events | bool | Disable osquery publish/subscribe system | false | false | 0 | | disable_audit | bool | Disable receiving events from the audit subsystem | true | false | 0 | | name | type | description | default_value | value | shell_only | osquery> select * from osquery_flags where name in ("disable_events", "disable_audit") For example, on a macOS machine, this shows To verify that osquery's flags are set correct, you can query the The -verbose flag can be really useful when trying to debug a problem. Though some testing of underlying operating system configuration canīe performed via osqueryi osqueryi and osqueryd operate Osquery, and may have performance impact. If BPF is being used, change the table name to bpf_process_events.Įnabling these auditing features requires additional configuration to To your query schedule, or to a query pack. To collect process events add a query like: SELECT * FROM process_events Similarly, socket events are abstracted into the
![query osquery on another machine query osquery on another machine](https://www.mssqltips.com/tipimages2/2099_image2.jpg)
Supported platforms, process events are abstracted into the How event-based tables are created and designed, check out the osquery Although these auditing features are extremely powerful for recording the activity from a host, they may introduce additional computational overhead and greatly increase the number of log events generated by osquery. osquery can leverage either BPF or the audit subsystems to record process executions and network connections in near real-time on Linux and macOS systems. Linux process and socket auditing using BPFĮnabling these auditing features requires additional configuration of osquery.
![query osquery on another machine query osquery on another machine](https://i0.wp.com/radacad.com/wp-content/uploads/2018/01/cycl.png)