Hi everyone Is this possible to use some sort of library pre

Question

Hi everyone Is this possible to use some sort of library preferably Go based to connect to socket and read results I m trying to figure out if it s possible to get rid of additional steps required to build and configure plugin

sharvil · Answer

perhaps <https github com osquery osquery go>

slevchenko · Answer

Thanks but I m trying to figure out if there s such possibility from Osquery API side

seph · Answer

Yes the osquery API supports that as does the go sdk

seph · Answer

Coincidentally I just wrote this into a stack overflow answer <https stackoverflow com questions 75207924 how to fetch information from process events and file events tables from osquery 75210749 75210749>

slevchenko · Answer

< seph> So if I ll connect to a socket I ll be able to read result strings

seph · Answer

Sorta I don t think you can query the results of a scheduled query That s the domain of logging plugins But you can run ad hoc queries and get responses over the socket See <https pkg go dev github com osquery osquery go ExtensionManagerClient>

slevchenko · Answer

Understood unfortunately I need scheduled queries results

seph · Answer

I don t think the socket helps you

seph · Answer

Use a logging plugin Write to the filesystem and read it Or write to some other kind of data store

slevchenko · Answer

Yeah looks like I ll have to stay with plugin plugin I wrote until proper DNSevents table appear

slevchenko · Answer

Logger plugin I wrote works but I was worried that at some point compatibility will break so I ve started to think about alternatives

slevchenko · Answer

But thanks for help

slevchenko · Answer

I hope some time BPFbased DNSevents table for linux will be added and I ll just replace all my stuff with something out of the box

seph · Answer

I don t think osquery has plans on changing anything in the logging plugin stuff At least not at the socket level

slevchenko · Answer

it s not the socket or logging I need the most I m tracking DNS events through my stuff and using osquery to match it against process and socket events

slevchenko · Answer

Once if DNSevents table will be added 90 of what I m using now will not be needed

slevchenko · Answer

anyway thanks again

seph · Answer

ah

seph · Answer

And I m not sure osquery supports events through plugins otherwise I d suggest that direction neutral face

slevchenko · Answer

Although I m calling it events I just mean DNS Questions Answers monitoring

slevchenko · Answer

Are there any plans regarding that

seph · Answer

I d end up writing that as a custom table in a plugin and keeping all the correlation logic in osquery But I have some bias so if what you have works it may not be worth change

seph · Answer

There s been discussion of how to add dns events using the bpf framework I don t remember where we landed

slevchenko · Answer

Alessandro had some PoC back in like 2019 or 2020 and that s all

seph · Answer

Yes Alessandro has been generally doing a lot of BPF work The underlying libraries are totally different now But more expandable

seph · Answer

We ve talked about whether we should allow site configurable BPF driven tables Or publish a dns events one

slevchenko · Answer

Either of these would be great