Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

<@UE86SU9UP> Welcome! You might need to install `linux-libc-dev` so that the header is available

<@UF63BUA3A> thanks, that indeed helped. Maybe you can hint me on the next questions:

1. osquery throws those messages to logs:
E0510 09:44:01.856688  3171 bpfeventpublisher.cpp:435] BPFEventPublisher has encountered 1 malformed events

2. In the actual results from bpf_socket_event, in most cases the remote/local address/port are empty or 0. I was expecting that when the familt is 1, I would see real values

for 1: we used to miss some events to a kernel bug with the execve/execveat tracepoints

for 2: we won't get all the ports unless we also see the process calling the bind() system call

thanks a lot. Much appreciate your helpful responses.