Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

howdy channel :slightly_smiling_face: wonder what everyone is using to monitor the running status of osqueryd these days? cron? osqueryctl? launchtl? ps-aux? thank you

Not to be snide, but what does monitoring mean?

Something like launchd or systemd is going to aim to keep the local binary running, but isn’t really going to have visibility into it’s state.

When I’m trying to monitor whether an agent is healthy, if I have a TLS server, I’m going to use that. Run a distributed query, or look at the last time it hit an endpoint, etc.

If I’m trying to monitor for resource usage, I’m going to use a mix of traditional SRE/OPS tools, and I’m going to use osquery to introspect itself.

fair question :slightly_smiling_face: I mean to make sure osqueryd is running.
 `I'm going to use osquery to introspect itself.`
Can you elaborate a little more on how you use that? is it querying osquery_info table?

Anything that’s running osquery as a daemon will make sure it’s running. None of them will make sure it’s working correctly. That’s much more nebulous

If I was trying to diagnose a performance issue, I would look at `osquery_schedule` to see if any queries were amiss in cpu/ram