Hey folks! What's the best way to run a query from the command-line against Kolide's osqueryd? For instance, I'd like to be able to interactively use osqueryi with the Kolide configuration (eventing tables, table restrictions, augeas configs, etc.) for testing & taking timing measurements.

Hey @Thomas Stromberg check out this blog article by @fritz https://www.kolide.com/blog/how-to-run-osqueryi-with-kolide-launcher-tables

There is also a new

interactive

mode which you can use to accomplish this even more easily. I need to update my blog post! 😄

As Fritz implies

/usr/local/kolide-k2/bin/launcher interactive

should work. It won’t get you the ATC configs, but that’s an unusual thing to need

if you need the ATC configs you can pass a flag to

/usr/local/kolide-k2/bin/launcher interactive

like

--osquery_flag=config_path=<path_to_your_config>

, there are details on finding the ATC configs in the article Jason posted

I've been using

launcher interactive

quite a bit for my testing. One thing I noticed in this mode is that it doesn't respect the eventing settings from Kolide:

osquery> SELECT * FROM socket_events;
W1020 11:18:25.713606 1471864192 virtual_table.cpp:969] Table socket_events is event-based but events are disabled
W1020 11:18:25.713634 1471864192 virtual_table.cpp:976] Please see the table documentation: <https://osquery.io/schema/#socket_eve>

I see you can pass

--osquery_flag

though which helps.

That’s probably true — I don’t think interactive uses the generated config file that the normal runtime does. You can probably work around it by passing in whatever options through

--osquery_flag

parameters

Yeah, sorry, I had just noticed the same thing 🙂

I’m just 🤣 I love seeing the tools get used. And I love hearing about the gaps