here I am new to osquery like to clarify few questions 1 if osquery #general

@here I am new to osquery like to clarify few ques...

Prakash Choudhary

03/26/2021, 3:54 AM

@here I am new to osquery like to clarify few questions. 1) if there is no change in the table the schedule interval query result will not be added to log file ? 2) is there a way to configure to output each query into a new output file

Prateek Kumar Nischal

03/26/2021, 8:29 AM

For regular queries, only new / different rows are written to the log stream. To make the output write everytime, you need to make the schedule query

snapshot

type. Then they will be written into the osqueryd.snapshot.log file.

Prakash Choudhary

03/26/2021, 10:35 AM

@Prateek Kumar Nischal please also suggest on the 2 point

Prateek Kumar Nischal

03/26/2021, 10:38 AM

New output file, for that you will need to write your own logging plugin. At the time AFAIK, there isn't much control (intentionally) on the logger..

Prakash Choudhary

03/26/2021, 11:12 AM

@Prateek Kumar Nischal ok thanks

spookerlabs

03/26/2021, 12:36 PM

I like this post a lot explaining how it works https://blog.kolide.com/osquery-under-the-hood-c1a8df46bb7a

Prakash Choudhary

03/26/2021, 1:19 PM

thanks @spookerlabs nice article

👍 1

5 Views

Open in Slack

Previous Next