Hi everyone

instance = osquery.ExtensionClient('\\\\.\pipe\shell.em')
instance.open()
client = instance.extension_client()
print(client.query('select * from time'))

In this code, it's possible to query osquery via the thrift socket without creating any new extension. I want to ask if it is also possible to set the config and get the logs for the running osquery instance without creating a new extension, and just read/write via the extension_client?

I don’t understand your question. You can send queries to a running osquery using the socket, yes. And you’ll get back the results. To do this you need to have something that can talk thrift. I’m not sure what you mean by logs here. Osquery writes the logs to a log destination. It does not store them waiting for a query over the thrift socket,

Oh, my bad! I saw the logger extension example just now. Sorry for that 😅 What I meant was that: can I implement this config plugin (https://github.com/osquery/osquery-python/blob/master/examples/foobar_config.ext) without creating an extension, and directly communicate with the thrift socket?

I’m pretty unsure about what you’re asking.

So sorry for confusing you @seph, tbh I could have and absolutely should've phrased the question better than I could. But you answered my question perfectly! I was just worried about not creating an extension so much, but I finally realized that it didn't matter. I apologize for wasting your time like this though!

method is returning two JSON configs, right

Huh. That’s an excellent point. I have no idea what that’s doing.

Yeah, me too. Anyways thankyou so much for your help!