Does osquery has any support to launch extensions on-demand instead of auto loading extensions at start

This is not supported; extensions can be started 1. by osquery, when starting. this is done through the configuration 2. manually; if osquery is correctly setting up the extension socket, then the extension will automatically connect back to osquery once started It is currently not possible to start extensions on demand. Given a configuration file that maps table_name -> extension on disk, you could in theory automatically start the extension when the registry fails to lookup a table. EDIT: Maybe you can open a feature request/blueprint issue

We were thinking of making watcher.cpp functions public as it has already capability built into it in terms of launching extension and maintaining the list in a map

What is the scenario or use case you have where on-demand extension loading is a potential solution? How do you imagine this working, do you have a configuration management tool that is deploying new extensions and you need to tell

osqueryd

to load them?

The idea is to control scan intervals and loading of extensions from central server. Rather bundling all extensions as part of os query

Will the central server send the extension to a host on-demand?

yes

If the central server is something that you are designing, and not already built, it could restart the osqueryd service each time a new extension is delivered and make the appropriate change to the autoload file.

Okay Thanks @theopolis