Switching topic Developing an extension not a plugin The onl

Question

Switching topic Developing an extension not a plugin The online doc doesn t seem to be up to date Using the latest osquery repo `sdk h` is under `osquery osquery sdk` but `events h` is under `osquery osquery include osquery` There s no `dispatcher h` header file but a `osquery osquery dispatcher` folder Same for `database h` just database folders Yet I look around at existing extensions and I see ` include lt osquery database h gt ` ` include lt osquery dispatcher h gt ` ` include lt osquery events h gt ` ` include lt osquery sdk h gt ` Do I need to successfully build osquery to start developing extensions

alessandrogario · Answer

Yes you need to build the extensions at the same time as osquery There are some examples here The extension code has to be copied symlinked inside the external folder

alessandrogario · Answer

Building everything together will generate extension binaries that will have no dependencies on the system and allow you to redistribute them this is especially important for Linux

Yves Dolce · Answer

1 Thanks but that <https github com osquery osquery blob master osquery examples example extension cpp> is a good example of what I m saying `sdk h` is at `osquery sdk sdk h` yet it does ` include lt osquery sdk h gt ` 2 I thought that the difference between an extension and a plugin is that the former can be out of proc independently built from osquery although it does need to reference some files from it Am I wrong

alessandrogario · Answer

Normally there is a 1 1 match between the fs structure and what is used in the include directive WIth osquery this no longer applies This is something that has been introduced by Buck include namespaces and we had to emulate it with CMake

alessandrogario · Answer

Personally I don t think it s a good idea and we should place the files in the right folders from the start No having this can and will cause issues with other tools such as analysis tools

alessandrogario · Answer

In the long past osquery had modules today an extension is just a collection of plugins

alessandrogario · Answer

plugins can be tables config providers loggers etc

alessandrogario · Answer

regardless they are always in the core osqueryd osqueryi or inside another executable never a DLL so file

Yves Dolce · Answer

Thanks I see Doesn t it mean that the doc needs to be updated

alessandrogario · Answer

If the documentation is different compared to the example file yes we should open a ticket about it

Yves Dolce · Answer

For example is your comment about the fs structure anywhere in the doc so that someone wanting to develop an out of proc plugin would know

alessandrogario · Answer

what do you mean with out of proc

alessandrogario · Answer

out of the osquery source tree

Yves Dolce · Answer

An EXE not a DLL

alessandrogario · Answer

there is no other way only executables are supported

alessandrogario · Answer

only the single supported method is documented

Yves Dolce · Answer

Instead of DLL I should have said compiled into OSQUERY

Yves Dolce · Answer

So back to my point about the doc shouldn t something like your comment filesystem be in the doc

alessandrogario · Answer

CMake and Buck will make sure that the include directive for the sdk h file works

alessandrogario · Answer

I m not sure how to document the internals of this

alessandrogario · Answer

this feature of Buck was kind of forced on master

Yves Dolce · Answer

I see Thanks

Yves Dolce · Answer

I still would like to be able to build a small console program that uses `ExtensionManagerClient` with VS outside the `osquery` folder tree Is this possible