flag if you'd like to investigate the contents, but there's not need to insert/modify data that's in the DB already
flag, so you might need to do some digging. I've also not really heard of folks using this, what about just using
? What are you trying to accomplish by disabling the logger? • You're right, the rocksdb can also be used for log caching, and every period of the logger buffer that's specified this cache will be flushed to whatever logger plugin is being used. But again, this isn't something we typically encourage folks to interact with. • Queries from osqueryi are just returned directly to the shell.
was really intended originally to be used more for query debugging and shell experience. It's not really intended for getting you information in a periodic manner, that's what
is for. When you launch into
there's a number of plugins and features that aren't turned on, as osquery is just an interactive shell that operates with the osquery registry to allow you to call different tables. You can turn on a bunch of the features using the CLI flags, but again this wont properly emulate how the daemon operates. For a lot of these questions it might be useful to know more about what you're trying to accomplish. Are you hoping to achieve something specific? Or are you just exploring the code base and the features?
should enable logging, but honestly I just wouldn't touch that flag at all. For the record, osqueryi and osqueryd are the same binary, there's just a slightly different code path taken when the binary name is osqueryi.exe, which is to drop you to an interactive sqlite shell. Both osqueryi and osqueryd generate data in the same way, but osqueryd gets it's query information from the configuration whereas osqueryi gets its query information from the shell. Further, osqueryd has a scheduler, where as osqueryi doesn't active this (I think, I could be wrong ^.^) Hope that helps!