Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

i wrote a guide to installing osquery and go-audit in this mode here: <https://medium.com/@clong/building-a-testbed-for-go-audit-osquery-ea4c0271b0c>

<@U0JA5UETV> Thanks for the article. It is really helpful. As you told that only three different syscall, can you tell me which three syscall it is able to monitor?

<@U0JA5UETV> I know that go-audit will do better job in terms of syscall monitoring, but I just wanted to know whether it is possible using osquery to monitor syscall like auditd or go-audit does?

execve, connect, and bind. You can view them via `auditctl -l`