# general
- g
GitHub
10/03/2025, 12:40 PM1 new commit pushed to
by directionless<https://github.com/osquery/osquery/tree/master|master>
- Exclude config views from db migration (#8678) osquery/osquery<https://github.com/osquery/osquery/commit/cab5fc757f3d70133061ead5a505ae07768049ab|cab5fc75> - g
GitHub
10/07/2025, 1:07 PM1 new commit pushed to
by directionless<https://github.com/osquery/osquery/tree/master|master>
- Stop trying to install strawberry perl on the windows CI runners (#8698) osquery/osquery<https://github.com/osquery/osquery/commit/ac3b20691dac898ee63fdc7bb6e2d2eec9f61bc7|ac3b2069> - g
GitHub
10/07/2025, 1:07 PM1 new commit pushed to
by directionless<https://github.com/osquery/osquery/tree/master|master>
- Free diskspace on linux CI runners (#8697) osquery/osquery<https://github.com/osquery/osquery/commit/a34034a5bff1d4addb8d32b40dd28ec4097f34d9|a34034a5> - g
GitHub
10/07/2025, 5:33 PM1 new commit pushed to
by zwass<https://github.com/osquery/osquery/tree/master|master>
- Make<https://github.com/osquery/osquery/commit/56473dc9fd428e5de2e1eb11078de152bcce544d|56473dc9>
more consistently report UUID (#8693) osquery/osqueryvscode_extensions - g
GitHub
10/07/2025, 5:34 PM1 new commit pushed to
by zwass<https://github.com/osquery/osquery/tree/master|master>
- Don't overwrite hardware_version if it has a value (#8690) osquery/osquery<https://github.com/osquery/osquery/commit/181ac85d48542de41c8bb10e60713ef9c6018b81|181ac85d> - g
GitHub
10/07/2025, 5:42 PM1 new commit pushed to
by zwass<https://github.com/osquery/osquery/tree/master|master>
- Support<https://github.com/osquery/osquery/commit/9fdcd51bb2cbfc81b487cf9bc48f3b3aa2226bbb|9fdcd51b>
onnvm
table (#8694) osquery/osquerynpm_packages - z
zwass
10/08/2025, 4:20 PMWhoops, we accidentally posted promotional content into this channel rather than #C01DXJL16D8. Sorry about that. Now deleted.ty 1 - s
Shiji Zhou
10/09/2025, 5:25 PMHi guys, could you advise me on how to use osquery to retrieve the same configurations that I previously obtained via the
command?sysctl -af- 2
- 2
- g
GitHub
10/09/2025, 8:38 PM1 new commit pushed to
by zwass<https://github.com/osquery/osquery/tree/master|master>
- Add scoped npm package path (#8686) osquery/osquery<https://github.com/osquery/osquery/commit/ad99fb5651afbbd1871f2de60b7873f78935262f|ad99fb56> - g
GitHub
10/11/2025, 2:27 AM1 new commit pushed to
by directionless<https://github.com/osquery/osquery/tree/master|master>
- Fix SQL examples for system_profiler table (#8699) osquery/osquery<https://github.com/osquery/osquery/commit/e8f154ef3143ad31073d918612de394f2e958a77|e8f154ef> - s
sean.cavanaugh
10/15/2025, 5:17 PMIs anyone using the
table with success? I'm unable to get it to return results on hosts that have jetbrains plugins installed. Trying both via osqueryi locally and w/ distributed queries via Fleet.jetbrains_plugins✅ 1gs- 3
- 3
- c
cTakaHoz
10/16/2025, 10:28 AMHi, I have a question about how the
parameter works; it is enabled by default. I currently have--events_optimize
in my osquery configuration, and--watchdog_level=0
is set to false. I collect data from the *_events tables and I’m concerned that I might run into issues with losing some logs. According to the documentation, this parameter works as follows:--events_optimizeCopy code
I’m interested in how the current time is saved: is it recorded after the query completes successfully, or before the query completes, at execution time? Just in case a query against a *_events table becomes resource-intensive, the watchdog may kill the osquery process, and if the current time is saved at execution time, I could lose logs, since the next query will no longer see older events.Every time the SELECT query runs on a subscriber, the current time is saved. Subsequent SELECTs will use the previously saved time as the lower bound.👀 1 - g
GitHub
10/22/2025, 5:09 PM1 new commit pushed to
by directionless<https://github.com/osquery/osquery/tree/master|master>
- Project Documentation/README updates (#8696) osquery/osquery<https://github.com/osquery/osquery/commit/57e120d124688dc866081ee6bf857994536a881c|57e120d1> - g
GitHub
10/23/2025, 4:10 PM1 new commit pushed to
by zwass<https://github.com/osquery/osquery/tree/master|master>
- Add more informative descriptions for<https://github.com/osquery/osquery/commit/f4fd92fbc2648eb914859dff57f38b1fe1ff99d8|f4fd92fb>
andmounts.blocks_free
(#8701) osquery/osquerymounts.blocks_available - g
GitHub
10/23/2025, 4:12 PMRelease - 5.20.0 New release published by zwass ## What's Changed • Enhance issue description with automation note by @directionless in #8679 • Change dependency for macOS universal binary in CI workflow by @zwass in #8667 • Update CHANGELOG to point to Releases page. by @frankgraziano in #8681 • Update dns_resolvers documentation to point to interface_details on Windows by @zwass in #8682 • Fix build against libaudit >=4.1.1 by removing set_aumessage_mode call by @Blarse in #8676 • libs: libarchive: 3.7.9 -> 3.8.1 by @LeSuisse in #8642 • Add default path for CA certificate bundle on openSUSE by @iko1 in #8687 • Exclude config views from db migration by @Micah-Kolide in #8678 • Stop trying to install strawberry perl on the windows CI runners by @directionless in #8698 • Free diskspace on linux CI runners by @directionless in #8697 • Make
more consistently report UUID by @zwass in #8693 • Don't overwrite hardware_version if it has a value by @sbrito85 in #8690 • Supportvscode_extensions
onnvm
table by @dantecatalfamo in #8694 • Add scoped npm package path by @lichao127 in #8686 • Fix SQL examples for system_profiler table by @zwass in #8699 • Project Documentation/README updates by @directionless in #8696 • Add more informative descriptions fornpm_packages
andmounts.blocks_free
by @jacobshandling in #8701 ## New Contributors • @frankgraziano made their first contribution in #8681 • @Blarse made their first contribution in #8676 • @jacobshandling made their first contribution in #8701 Full Changelog: 5.19.0...5.20.0 osquery/osquerymounts.blocks_available - z
zwass
10/29/2025, 4:43 PMHey folks, Seph and I got the 5.20.0 pre-release out last week. Please test if you are able.🎉 1s- 2
- 5
- g
GitHub
11/06/2025, 3:23 PM1 new commit pushed to
by zwass<https://github.com/osquery/osquery/tree/master|master>
- Improvements to password_policy table (#8705) osquery/osquery<https://github.com/osquery/osquery/commit/6f6fe28f37765fdcd57a0e85c06e5959d4fe5718|6f6fe28f> - r
Ryan Stortz
11/11/2025, 12:35 AMdoes osquery still support centos6? and whyss- 3
- 4
- s
seph
11/12/2025, 1:18 PMHi Folks! Osquery 5.20.0 stable. 🎉 You can see the release notes in the above link. Enjoy!🎉 2 - r
Robin Johansson
11/18/2025, 12:08 PMcloudflare 🫠🤦♂️ 2 - a
anurag
11/28/2025, 9:57 AMHi Everyone, I am facing an issue where I can't retrieve the scheduled query results through my /api/logs endpoint which is in python and I am using ngrok to serve a HTTPS server. Here is the flags file -# Server Configuration--tls_hostname=<http://xxxx.ngrok-free.dev|xxxx.ngrok-free.dev># Enrollment Configuration--enroll_tls_endpoint=/api/enroll--enroll_secret_path=C:\osquery_certs\enrollment_secret.txt--disable_enrollment=false# Config Plugin--config_plugin=tls--config_tls_endpoint=/api/config--config_tls_refresh=60--config_tls_max_attempts=3# Logger Configuration--disable_logging=false--logger_plugin=tls--logger_tls_endpoint=/api/logs--logger_tls_period=5--logger_event_type=true--logger_min_status=0# Device Identification--host_identifier=uuid# Verbose logging for testing--verbose=true--logger_min_status=0--allow_unsafe--force--tls_dump--enable_ntfs_event_publisher=true--enable_process_etw_events=true--enable_windows_events_publisher=true--enable_windows_events_subscriber=true--disable_events=false
Please someone guide me what am I doing wrong? this is the config which I am sending back to the config api response ---disable_database=false@app.route('/api/config', methods=['POST'])def config():"""Provide osquery configuration"""data = request.get_json()node_key = data.get('node_key', '')print(f"\n[CONFIG] Request from node_key: {node_key}")if node_key not in enrolled_nodes:print(f"[CONFIG] FAILED - Unknown node_key")return jsonify({"node_invalid": True}), 401# Simple config with one queryosquery_config = {"schedule": {"os_version": {"query": "SELECT * FROM os_version;","interval": 10},}}print(f"[CONFIG] Sending configuration")return osquery_configs- 2
- 2
- j
John Lamb
12/01/2025, 6:01 PMI am looking to do some correlation (particularly on macOS) between
andes_process_events
andprocess_events
and I am scratching my head a bit about how to get the right matches considering PIDs can be reused: 1. Ideal case would be all 3 tables expose "id" (viewable in the JSON for es_process_events if you look at anprocesses
action in Mac Monitor by Red Canary, for instance) which is a UUID that pretty much will never be reused in the course of the life of the universe and join on that. 2. Less ideal would beexec
andpid
which could be used to make a composite key to join on (with ANDs) -pidversion
lacks this and bsm probably never picks it up.process_events
lacksprocesses
but haspid_version
(whichupid
lacks) which is not a UUID but an incremented 64 bit number 3. Possibly less ideal would be aes_process_events
starting withLEFT JOIN
and then limiting my time, so if the event happens and the query happens for it soon enough, grab static data from processes... not a big fan. Joins against socket_events are more problematic because there is just pid, no pid versiones_process_events
orUUID
This is not a complaint at all, osquery rocks. And I can already get close enough queries with just joining on pid as long as I caveat my results sufficientlyupid.s- 2
- 10
- g
GitHub
12/02/2025, 5:21 PM1 new commit pushed to
by zwass<https://github.com/osquery/osquery/tree/master|master>
- Improve Cursor rules for testing (#8717) osquery/osquery<https://github.com/osquery/osquery/commit/702617b48c3d0ae05a640390347c5eeff926df29|702617b4> - g
GitHub
12/03/2025, 5:05 PM1 new commit pushed to
by zwass<https://github.com/osquery/osquery/tree/master|master>
- Fix CI: Remove Login Items plist support from startup_items table (#8723) osquery/osquery<https://github.com/osquery/osquery/commit/3c97fb53d6e5ea5efe440af45e1e55d2da5b5c5e|3c97fb53> - g
GitHub
12/10/2025, 4:31 PM1 new commit pushed to
by zwass<https://github.com/osquery/osquery/tree/master|master>
- Improve file traversal performance and correctness (#8704) osquery/osquery<https://github.com/osquery/osquery/commit/07aba275e28a635454655794f0815914529dd9b9|07aba275>🔥 1 - g
GitHub
12/10/2025, 4:31 PM1 new commit pushed to
by zwass<https://github.com/osquery/osquery/tree/master|master>
- Add support for Login Items and Background Services on modern macOS (#8726) osquery/osquery<https://github.com/osquery/osquery/commit/d63088023dcd983d4c35ed0b6691021f0a519575|d6308802> - g
GitHub
12/10/2025, 4:32 PM1 new commit pushed to
by zwass<https://github.com/osquery/osquery/tree/master|master>
- Add last_connected_automatic and last_connected_manual to wifi_networks table (#8728) osquery/osquery<https://github.com/osquery/osquery/commit/ae374d60b37af01847bbbf61940a0a5379de1424|ae374d60> - g
GitHub
12/11/2025, 12:45 AM1 new commit pushed to
by zwass<https://github.com/osquery/osquery/tree/master|master>
- Remove test_older_macos job in GitHub Actions because runner has been removed (#8729) osquery/osquery<https://github.com/osquery/osquery/commit/37a46f77d3663dd982fd8460068ba0879346e340|37a46f77> - g
GitHub
12/11/2025, 2:22 AM1 new commit pushed to
by zwass<https://github.com/osquery/osquery/tree/master|master>
- Refresh resolver state on interval to pick up DNS changes (#8716) osquery/osquery<https://github.com/osquery/osquery/commit/5c7807056dc8b31dcf0b169a51018b634254856c|5c780705> - j
John Lamb
12/12/2025, 4:15 PMThe fleet_based.msi option is nice for simplifying install. Any chance we can pass a server certificate as an msi option?g- 2
- 3