Osquery is designed to talk to extensions over a t...
# generals
seph
03/04/2022, 1:21 AM
Osquery is designed to talk to extensions over a thrift socket. You can query over it. This may not be better than osqueryi, though it has less exec overhead
m
Mariya Milkova
03/05/2022, 9:44 AMthank you very much for the info, I will look into both options, you might be right that the schemas are the same
s
seph
03/05/2022, 1:11 PM
The table schema should be the same, but sometimes there’s some meta data differences. But it should be pretty easily transformable,
seph
03/05/2022, 1:12 PM
There are some caveats around diff vs snapshot queries. But I think diff queries are a poor fit for the problem you described.
m
Mariya Milkova
03/06/2022, 7:56 PMyes, I’ve been using the snapshot ones
Mariya Milkova
03/06/2022, 7:57 PMthe concern with the osqueryi is that they are missing a bit of the data in the json files compared to the osquery service
s
seph
03/09/2022, 11:28 PM
What data is missing? There may be ways of getting it
m
Mariya Milkova
03/10/2022, 12:34 AMthings like the decorators
Mariya Milkova
03/10/2022, 12:34 AMnot the queries themselves, more like data about the data
s
seph
03/10/2022, 1:48 AM
Ah, yes. I don’t think other things have decorators. You could built that into the query usage.
seph
03/10/2022, 1:51 AM
I don’t think there’s a simple answer here. 😕 It’s just not how it’s made to be used. So you’re working around it
3 Views