I want to build a my own library with osquery sdk in c++ is

Question

I want to build a my own library with osquery sdk in c++ is it possible for anyone to guide me

koo · Answer

If you are looking at building an extension perhaps the guide <https osquery readthedocs io en stable deployment extensions |here> might help

Mike Myers · Answer

You ll find that the osquery SDK does not support build all osquery functionality into a library you can link to from your code

Mike Myers · Answer

many have begun with that as their goal but if that is your goal you are better off shipping the osquery executable and invoking it and consuming the results

lankesh · Answer

Can t we use the headers of osquery and call APIs

lankesh · Answer

In ordered to get any results do we always need to run it in CLI with sql queries

Stefano Bonicatti · Answer

osquery doesn t expose a binary API to execute its logic tables as if it was a library The SDK is just meant to create a thrift communication between the osquery process and the extension process and the C++ one specifically is not even separated from the project You have to build osquery and the extension together

lankesh · Answer

Ok good information

lankesh · Answer

Thank you

Stefano Bonicatti · Answer

In ordered to get any results do we always need to run it in CLI with sql queries osquery hasn t been written with that in mind or to be used as a library The CLI is meant to experiment with queries or even use it in production with an operator behind The method to ship results is to let osquery run as a daemon and depending on the configuration it will write results on the filesystem locally which then can be retrieved by something else or you configure osquery to send the logs using one of the other logger plugins like TLS kinesis firehose

Stefano Bonicatti · Answer

That been said as Mike was suggesting one can launch a query via CLI like `osqueryd S select from osquery info json` and parse the output but it s less than ideal

lankesh · Answer

Ok I got that we cannot build our own library with sdk available 2 ways to use osquery osqueryi run commands via CLI to store output or see it osqueryd run as demon but how we can use this at production Along with our available processes already

lankesh · Answer

What is extension here writing our own table

lankesh · Answer

Also didn t get whats extension process

Stefano Bonicatti · Answer

osquery is meant to be deployed and configured to run scheduled queries periodically or to run ad hoc queries via the distributed queries mechanism The configuration can be a local file that s installed while deployed and then it s updated by a fleet manager where osquery connects to Ad hoc distributed queries would be pulled from the fleet manager and then run Now if you want to have another procedure to precisely control when queries are run you either have to use `osqueryi` as previously mentioned or you could also decide to write an extension that communicates via the Thrift APIs with osquery and works as a bridge between your processes and osquery Here you re a bit on your own because again it s not exactly what they were intended for Extensions are external processes that register and communicate with the osquery daemon through the Thrift APIs They can provide new tables logger plugins or config plugins <https osquery readthedocs io en latest deployment extensions >

Stefano Bonicatti · Answer

and also run queries on the core tables

lankesh · Answer

Excellent

lankesh · Answer

Now all i have to figure is how to write extensions for osquery demon

lankesh · Answer

This is really nice explanation this saved lot of my time

lankesh · Answer

Thanks a ton