Is there any kind of tool that provides basic sanity checks for an osquery configuration? I'm specifically thinking of something that consumes a configuration + scheduled queries and checks that all evented tables that are enabled have a corresponding scheduled query that drains them, but I'm sure there are other configuration level issues that could be detected.

No, but sounds very handy.

I did create some informal scripts to do that a year or two ago, but I can''t find them. The only thing I have left is an ugly ruby script that generates a report on queries used. https://github.com/packetzero/osq_config_report

Thanks! I guess I'm gonna have to dig into this in my copious free time 😐

Would be really interesting to build it into osquery itself. Then for example a client could receive a TLS config and report on any potential issues.