I am trying to basically automate any osqueryi queries so that I can get real-time system information. I was thinking of going to the conf files and using schedule to try and test this on maybe 1 or 2 queries and hopefully see the results logged in some kind of logger file. Any ideas?

@Bit_by_bit I'm not entirely sure I follow what you're wanting to do... Are you saying you'd like to automate execution of osqueryi queries? this is what the osqueryd daemon is for, or maybe I'm misunderstanding what you're asking

@thor yes you are right. I want to get real time data. If I use osqueryi, it will give information about the system's state at that point which may have changed later on. Therefore, if I can automate it, I can get the same results every 10ms if I wanted

Yeah you'll want to use osqueryd for that, however we don't have ms granularity, it's second granularity, and many of the tables aren't performant enough to be able to get data every second. What we've had success with in the past is using the Windows event logging pipeline to get data out. There's a few issues open to try and build out event publisher tables for process auditing and network socket auditing, but these aren't there yet

hmm..would it be easier on mac or linux?

Mac and Linux both have event publisher tables for processes, network events, and file events, so yes

Cool beans! Tbh, I really like this project and would love to help in my free time. Being in college, it really restricts my free time...

Ah, actually you'll want this 🙂 https://osquery.readthedocs.io/en/stable/deployment/process-auditing/

Cool, ill def try it out with linux and see how it goes