Osquery is designed to talk to extensions over a thrift sock

Question

Osquery is designed to talk to extensions over a thrift socket You can query over it This may not be better than osqueryi though it has less exec overhead

Mariya Milkova · Answer

thank you very much for the info I will look into both options you might be right that the schemas are the same

seph · Answer

The table schema should be the same but sometimes there s some meta data differences But it should be pretty easily transformable

seph · Answer

There are some caveats around diff vs snapshot queries But I think diff queries are a poor fit for the problem you described

Mariya Milkova · Answer

yes I ve been using the snapshot ones

Mariya Milkova · Answer

the concern with the osqueryi is that they are missing a bit of the data in the json files compared to the osquery service

seph · Answer

What data is missing There may be ways of getting it

Mariya Milkova · Answer

things like the decorators

Mariya Milkova · Answer

not the queries themselves more like data about the data

seph · Answer

Ah yes I don t think other things have decorators You could built that into the query usage

seph · Answer

I don t think there s a simple answer here confused It s just not how it s made to be used So you re working around it