I want to build a my own library with osquery sdk in c++, is it possible for anyone to guide me

If you are looking at building an extension perhaps the guide here might help

You'll find that the osquery SDK does not support "build all osquery functionality into a library you can link to from your code"

Can't we use the headers of osquery and call APIs?

osquery doesn't expose a binary API to execute its logic/tables, as if it was a library. The "SDK" is just meant to create a thrift communication between the osquery process and the extension process and the C++ one specifically is not even separated from the project. You have to build osquery and the extension together.

Ok, good information

"In ordered to get any results, do we always need to run it in CLI with sql queries" osquery hasn't been written with that in mind or to be used as a library. The CLI is meant to experiment with queries or even use it in production, with an operator behind. The method to ship results is to let osquery run as a daemon and depending on the configuration it will write results on the filesystem locally, which then can be retrieved by something else, or you configure osquery to send the logs using one of the other logger plugins, like TLS, kinesis,firehose.

Ok, I got that.. we cannot build our own library with sdk available. 2 ways to use osquery osqueryi : run commands via CLI to store output or see it. osqueryd: run as demon , but how we can use this at production? Along with our available processes already.

osquery is meant to be deployed and configured to run scheduled queries periodically or to run ad-hoc queries via the "distributed queries" mechanism. The configuration can be a local file that's installed while deployed and then it's updated by a fleet manager where osquery connects to. Ad-hoc/distributed queries would be pulled from the fleet manager and then run. Now if you want to have another procedure to precisely control when queries are run, you either have to use

osqueryi

as previously mentioned, or you could also decide to write an extension that communicates via the Thrift APIs with osquery and works as a bridge between your processes and osquery. Here you're a bit on your own because again it's not exactly what they were intended for. Extensions are external processes that register and communicate with the osquery daemon through the Thrift APIs. They can provide new tables, logger plugins or config plugins. https://osquery.readthedocs.io/en/latest/deployment/extensions/

Excellent!!