Hello is it possible to get from OsQuery events asynchonously without periodic querying? For example process creation, file modifications etc? My idea is trigger specifix queries based on this async events, if OsQuery can provide them. Thank You.

It's slightly different, but in the past people thought about adding an option to bypass tables and have event subscribers send events directly through the logger. I don't think an agreement was reached on whether it fit osquery or not. One thing that can be done here is to schedule a query using a 'discovery query': https://osquery.readthedocs.io/en/stable/deployment/configuration/#discovery-queries The discovery query would contain the event trigger (example:

SELECT * FROM process_events WHERE path = sudo

), and the body would contain the query you want to run in response to this event.

ok, ïll take a look into it, thank You

IIRC discovery queries have weird cache intervals, so that might not work as expected

I wonder what the behavior would be of a discovery query on an evented table like that. My guess would be that it does not do what you are looking for in this scenario.

thx all

Ah that's too bad! I was hoping it would kind of work with some tweaks on events expiry/max events