Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
k
Krishan
05/25/2023, 1:55 PMHi. I'm testing osquery on a Mac, and I wanted trigger an event on new ssh connections or logins. I've been looking at process_open_sockets and trying to filter by port 22, but I don't see it. Any idea on which table I should be looking at?
I see logged_in_users but it doesn't exactly show ssh_connections
SELECT DISTINCT processes.uid, process_open_sockets.pid,
process_open_sockets.remote_address,
process_open_sockets.local_port,
process_open_sockets.remote_port
FROM process_open_sockets INNER JOIN processes
WHERE processes.pid=process_open_sockets.pid
AND processes.uid=0
AND process_open_sockets.remote_address <> ""
AND process_open_sockets.remote_address <> "0.0.0.0"
AND process_open_sockets.remote_address <> "10.0.2.2"
AND process_open_sockets.remote_address <> "::";