https://github.com/osquery/osquery logo
Join Slack
Powered by
# general
  • g

    GitHub

    03/25/2025, 6:27 PM
    1 new commit pushed to
    <https://github.com/osquery/osquery/tree/master|master>
    by zwass
    <https://github.com/osquery/osquery/commit/2801baffd4ff3522434d593e6b22ede24cc7f283|2801baff>
    - Pin macos python versions in CI to fix mismatch between builder and test runner (#8559) osquery/osquery
  • g

    GitHub

    03/26/2025, 2:35 AM
    1 new commit pushed to
    <https://github.com/osquery/osquery/tree/master|master>
    by directionless
    <https://github.com/osquery/osquery/commit/1424defadf2bf65b5a6ff9bdde787820b5a1e1e2|1424defa>
    - cve: Ignore util-linux CVE-2024-28085 (#8579) osquery/osquery
  • g

    GitHub

    03/29/2025, 4:38 PM
    1 new commit pushed to
    <https://github.com/osquery/osquery/tree/master|master>
    by directionless
    <https://github.com/osquery/osquery/commit/701b62fa7c6116cbe148e13766896b7f239d14ff|701b62fa>
    - build(deps): bump jinja2 from 3.1.5 to 3.1.6 (#8563) osquery/osquery
  • g

    GitHub

    03/31/2025, 2:29 AM
    1 new commit pushed to
    <https://github.com/osquery/osquery/tree/master|master>
    by directionless
    <https://github.com/osquery/osquery/commit/26ed5139fb5ad8006db8a9f4b2c571d43cef6ee1|26ed5139>
    - Fix SMC reading values (#8583) osquery/osquery
  • g

    GitHub

    04/02/2025, 7:11 PM
    1 new commit pushed to
    <https://github.com/osquery/osquery/tree/master|master>
    by zwass
    <https://github.com/osquery/osquery/commit/7bbe33d1e923bc794a60cbf0a6096c62d94358be|7bbe33d1>
    - Fix network metrics in docker_container_stats (#8567) osquery/osquery
  • g

    GitHub

    04/02/2025, 7:24 PM
    1 new commit pushed to
    <https://github.com/osquery/osquery/tree/master|master>
    by zwass
    <https://github.com/osquery/osquery/commit/11dacee23afcabc93ce18f2591aeec89db8b2428|11dacee2>
    - Implement yara_events table for Windows (#8580) osquery/osquery
  • g

    gautam

    04/08/2025, 9:26 AM
    Hi everyone, I need some clarification regarding osquery extensions. I recently custom-built an extension in Go. It works fine on Linux and macOS, but on Windows, I'm getting the following error:
    Copy code
    I0404 11:53:12.662837 16328 init.cpp:413] osquery initialized [version=5.16.0]
    I0404 11:53:12.766654 16328 extensions.cpp:438] Found autoloadable extension: C:\Program Files\custom\extensions\compliance.exe
    O2025/04/04 11:53:14 Error creating extension: dialing pipe '\\.\pipe\osquery.em': open \\.\pipe\osquery.em: The system cannot find the file specified.
    W0404 11:53:16.786880  3532 watcher.cpp:739] Extension respawning too quickly: C:\Program Files\custom\extensions\compliance.exe
    Flags used:
    Copy code
    --extensions_autoload="C:\Program Files\custom\extensions.load"
    --extensions_timeout=5
    --extensions_interval=5
    --extensions_socket="\\.\pipe\osquery.em"
    (I also tried using
    --extensions_socket="\\.\pipe\shell.em"
    but faced the same issue.) Has anyone faced a similar issue or can help me troubleshoot this? Any help would be appreciated! Looking forward to your suggestions.
    z
    • 2
    • 1
  • g

    GitHub

    04/09/2025, 4:08 PM
    1 new commit pushed to
    <https://github.com/osquery/osquery/tree/master|master>
    by zwass
    <https://github.com/osquery/osquery/commit/1e5ed3750e8f73257819d75694cd1b9f82280918|1e5ed375>
    - Fix flaky mdfind test in CI (#8589) osquery/osquery
  • g

    GitHub

    04/09/2025, 4:22 PM
    1 new commit pushed to
    <https://github.com/osquery/osquery/tree/master|master>
    by zwass
    <https://github.com/osquery/osquery/commit/6b87d0cb535af8ecd4d53af39e8921c9b65727bb|6b87d0cb>
    - libs: openssl: 3.2.1 -> 3.4.1 (#8586) osquery/osquery
  • g

    GitHub

    04/09/2025, 10:14 PM
    1 new commit pushed to
    <https://github.com/osquery/osquery/tree/master|master>
    by zwass
    <https://github.com/osquery/osquery/commit/ddd83fab60350090c2aa78e84e890738bd317b79|ddd83fab>
    - Add support for DEB822-style apt sources (#8556) osquery/osquery
  • g

    GitHub

    04/09/2025, 10:16 PM
    1 new commit pushed to
    <https://github.com/osquery/osquery/tree/master|master>
    by zwass
    <https://github.com/osquery/osquery/commit/7815b6bf71ae26de5233c695aa8aca0a653bfbb6|7815b6bf>
    - Add support for msix packages (#8585) osquery/osquery
  • g

    GitHub

    04/10/2025, 2:59 PM
    1 new commit pushed to
    <https://github.com/osquery/osquery/tree/master|master>
    by zwass
    <https://github.com/osquery/osquery/commit/c18a20d7fc7be9b13503258bcba1445090591ffe|c18a20d7>
    - Implement dns_lookup_events table on Windows (#8553) osquery/osquery
  • g

    GitHub

    04/10/2025, 5:22 PM
    1 new commit pushed to
    <https://github.com/osquery/osquery/tree/master|master>
    by zwass
    <https://github.com/osquery/osquery/commit/60ce8f30dc86892a2ff3b388c6612d39f223a5ef|60ce8f30>
    - Added UpgradeCode to programs table (#8587) osquery/osquery
  • g

    GitHub

    04/10/2025, 6:22 PM
    1 new commit pushed to
    <https://github.com/osquery/osquery/tree/master|master>
    by zwass
    <https://github.com/osquery/osquery/commit/24416b16f9c406d3deb1f74d5dfcee924c732bcd|24416b16>
    - libs: expat bump from 2.6.0 to 2.7.1 (#8595) osquery/osquery
  • g

    GitHub

    04/11/2025, 2:28 PM
    1 new commit pushed to
    <https://github.com/osquery/osquery/tree/master|master>
    by Smjert
    <https://github.com/osquery/osquery/commit/455cdd7715ec2f3850b9cccced47885ed43089a2|455cdd77>
    - Update ubuntu runners to 22.04 (#8592) osquery/osquery
  • i

    Ignacio Ovsannikov

    04/14/2025, 8:42 AM
    Hey folks! 👋 I wanted to share my thoughts about Linkedin and hear your opinions. LinkedIn is turning into a total swamp — just endless sales pitches, random people trying to sell you stuff in their very first message, and so much useless noise. This is exactly why I value our communities so much, where we can communicate peacefully and I can grow my network without constantly being bombarded. Although, to be fair, scammers with suspicious files occasionally appear here too, but fortunately, there aren't many of them. Do you still find Linkedin useful? What social networks/platforms do you use for professional communication besides Slack? Looking forward to discussing this with you all! 🙌
  • g

    GitHub

    04/15/2025, 1:47 PM
    1 new commit pushed to
    <https://github.com/osquery/osquery/tree/master|master>
    by directionless
    <https://github.com/osquery/osquery/commit/e0ce3da13ab62cc4c5e61751059e6d084ee1d864|e0ce3da1>
    - Refactor ETW helpers for unicode support (#8596) osquery/osquery
  • g

    GitHub

    04/15/2025, 7:11 PM
    1 new commit pushed to
    <https://github.com/osquery/osquery/tree/master|master>
    by zwass
    <https://github.com/osquery/osquery/commit/73123f921402c933de9b2f84ebc5e28a148b91ff|73123f92>
    - Fix/startup items parsing (#8536) osquery/osquery
  • g

    GitHub

    04/16/2025, 4:56 AM
    1 new commit pushed to
    <https://github.com/osquery/osquery/tree/master|master>
    by zwass
    <https://github.com/osquery/osquery/commit/1ab05a6e4a21b8a6b6531ed45ecc4a748b47f5d1|1ab05a6e>
    - Filter the Win32_Processor query to only required fields (#8598) osquery/osquery
  • g

    GitHub

    04/16/2025, 5:04 AM
    Release - 5.17.0 New release published by zwass ## 5.17.0 Git Commits ## What's Changed • Add
    CHANGELOG.md
    entry for 5.16.0 by @lucasmrod in #8548 • Add
    symlink_target_path
    to
    files
    tables by @DocEmmetBrown in #8502 • cve: Ignore libarchive CVE-2024-26256 by @Smjert in #8546 • Fixes in windows helpers by @zwass in #8549 • Align ES functions with documented macOS versions by @SilverPlate3 in #8338 • Fix include path in logger-plugins.md by @zwass in #8550 • Fix integration test name in Windows build instructions by @zwass in #8552 • Fix event expiration to prevent losing events by @zwass in #8535 • Update
    shell_history
    table to include ash by @jbeley in #8568 • Fix dicker container table disk/write metrics, compares "op" values with ignore case by @Kislaci90 in #8566 • Escape service binary path in manage-osqueryd.ps1 by @smithclay in #8569 • Update
    docker_container_stats
    table to include memory_inactive_file and memory_total_inactive_file by @kfnorbi in #8577 • Add
    auto_update
    and
    app_name
    column to
    homebrew_packages
    table by @DocEmmetBrown in #8520 • Add support for scheduled queries to run at startup by @Micah-Kolide in #8554 • Boost 1.87 compatibility by @carlsmedstad in #8533 • Pin macos python versions in CI to fix mismatch between builder and test runner by @scottvanta in #8559 • cve: Ignore util-linux CVE-2024-28085 by @Smjert in #8579 • build(deps): bump jinja2 from 3.1.5 to 3.1.6 by @dependabot in #8563 • Fix SMC reading values by @sgress454 in #8583 • Fixes network metrics by @Kislaci90 in #8567 • Implement yara_events table for Windows by @zwass in #8580 • Fix flaky mdfind test in CI by @zwass in #8589 • libs: openssl: 3.2.1 -> 3.4.1 by @LeSuisse in #8586 • Add support for DEB822-style apt sources by @dantecatalfamo in #8556 • Add support for msix packages by @ksykulev in #8585 • Implement dns_lookup_events table on Windows by @zwass in #8553 • Added UpgradeCode to programs table by @ksykulev in #8587 • libs: expat bump from 2.6.0 to 2.7.1 by @LeSuisse in #8595 • Update ubuntu runners to 22.04 by @zwass in #8592 • Refactor ETW helpers for unicode support by @zwass in #8596 • Fix/startup items parsing by @AndreaMarangoni in #8536 • Filter the Win32_Processor query to only required fields by @jaymzjulian in #8598 ## New Contributors • @DocEmmetBrown made their first contribution in #8502 • @jbeley made their first contribution in #8568 • @Kislaci90 made their first contribution in #8566 • @smithclay made their first contribution in #8569 • @kfnorbi made their first contribution in #8577 • @scottvanta made their first contribution in #8559 • @LeSuisse made their first contribution in #8586 • @dantecatalfamo made their first contribution in #8556 • @jaymzjulian made their first contribution in #8598 Full Changelog: 5.16.0...5.17.0 osquery/osquery
  • g

    GitHub

    04/18/2025, 12:14 AM
    1 new commit pushed to
    <https://github.com/osquery/osquery/tree/master|master>
    by zwass
    <https://github.com/osquery/osquery/commit/182672a0728f26fd20424b69ecad8d4c453c9dd0|182672a0>
    - [Performance Analysis] print stderr if exists (#8600) osquery/osquery
  • l

    Lichao Li

    04/26/2025, 12:57 AM
    👋 One question about this doc: https://osquery.readthedocs.io/en/stable/deployment/file-integrity-monitoring/
    Do not use arbitrary category names under the
    exclude_paths
    node; only valid names are allowed.
    • Valid categories - Categories referenced under the
    file_paths
    node. In the above example config,
    homes
    ,
    etc
    and
    tmp
    are valid categories.
    Other than
    homes
    ,
    etc
    and
    tmp
    , are there any other valid categories? can I exclude a path like
    /var/logs
    and call the category
    var
  • k

    Kyle Pazandak

    04/29/2025, 4:57 PM
    Thought I would ask. In the middle of porting my MacAgent off Python and into Swift. Is there a Swift Framework or Library already built to easy import OSQ?
    m
    • 2
    • 2
  • s

    Shreshtha

    05/13/2025, 7:53 AM
    Hi everyone, I'm working on integrating Sentry logging into the Kolide Launcher to capture runtime errors. I’ve added the Sentry logic and initialized the SDK in
    main.go
    . When I run
    ./launcher
    directly, everything works fine and events show up in Sentry. However, when I install the launcher using the
    .pkg
    installer, the launcher runs successfully (I can see the computer appear in Fleet), but no logs are sent to Sentry. Has anyone here tried adding Sentry or another logging service to the launcher? Any idea ? Thanks in advance!
  • a

    Abu Sadeq

    05/13/2025, 9:47 PM
    Hello, Are there query packs available for IT compliance? For example, ISO 27001, SOC 2, CMMC, NIST CSF etc.
    k
    d
    • 3
    • 4
  • k

    KiloelectronVolt

    05/19/2025, 1:33 PM
    Some advice for a noob please. Have been looking at Kolide (now 1password device trust) and Fleet DM which both built on osquery. Is it worth starting by learning osquery from scratch as both leverage it? There seems to be overlap in them I realise they were both once the same company.
    k
    d
    • 3
    • 2
  • t

    Tarun Ganesh

    05/20/2025, 11:14 AM
    Hello all, I'm currently configuring osquery with Fleet. I'm trying to use both BPF events and the Audit subsystem together to get complete coverage. Here's a snippet of my current flags configuration:
    Copy code
    command_line_flags:
      disable_audit: false
      enable_bpf_events: true
      disable_events=false
      enable_file_events: true
    When I check the osquery_events table, I can see that the audit publisher is now active, but I'm not seeing file events being generated when files in the monitored paths are modified, whereas I could see the bpf_process_events and bpf_socket_events. My questions: 1. Can BPF events and Audit subsystem be used together effectively, or do they conflict? 2. Is there a preferred approach for comprehensive monitoring that includes both FIM and process/socket monitoring? 3. Are there specific configurations needed to ensure FIM works properly with these settings? 4. Should I be using a specific publisher for FIM (inotify vs audit vs BPF)? Any guidance would be greatly appreciated!
  • i

    independent

    05/21/2025, 2:38 PM
    Hi all, I have a question related to
    process_events
    and the osqueryd. We have configured:
    Copy code
    "non_https_network_connection": {
          "query":
     "SELECT p.pid, p.path, pr.path AS parent_process, p.cmdline,
    se.local_port, se.remote_port, se.local_address, se.remote_address FROM
    socket_events AS se INNER JOIN process_events AS p ON p.pid = se.pid
    LEFT JOIN process_events AS pr ON pr.pid = p.parent WHERE
    .........<rest of query>';",
          "interval": "60",
          "description": "."
        },
    Now this work locally
    osqueryi
    and presents all the events. The problem is when we run this pack with the deamon only one event is returned every 60s, while you would suspect all the events to be returned of the last 60s. Are we missing something here. Is this an optimisation issue? happy to hear? Best regards.
  • g

    GitHub

    05/21/2025, 7:49 PM
    1 new commit pushed to
    <https://github.com/osquery/osquery/tree/master|master>
    by Smjert
    <https://github.com/osquery/osquery/commit/e085e11838d4f921827cf4754184a05ef2c6f654|e085e118>
    - libs: Update googletest (#8604) osquery/osquery
  • i

    Irena Reedy

    05/22/2025, 2:57 PM
    Hi everyone! I'm Irena, the new Apprentice at Fleet. Super excited to connect with you all ☺️