Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

the build command built bunch of osquery lib files, which .lib file is corresponding to osquery/sdk.h?

There isn't a single library that will bring in the SDK. It's also actually difficult to say that there's an SDK at all to be honest (at least for C++).
It's very tied to osquery itself and its build system, because it statically links against some of the third party libraries that osquery itself uses.

Also it's all handled in CMake, so while there are two top level targets an extension links against, it's actually a tree of static libraries that CMake itself resolves at configure time.

from this doc <https://osquery.readthedocs.io/en/1.8.2/development/osquery-sdk/>, it sounds like I can use the SDK.  I want to link osquery SDK to my windows application without osquery application itself running, is that possible?

what is osquery_sdk_pluginsdk.lib and osquery_main.lib? which one includes the implementation of the functions and classes declared in the osquery/sdk.h header file?

The extension SDK exists to extend osquery itself adding tables and to communicate with the osquery process. If you're in search of something to just get the tables functionality in osquery in library form, that's not it.

is osquery_sdk_pluginsdk.lib extension SDK?

<https://github.com/osquery/osquery/blob/d2be385d71f401c85872f00d479df8f499164c5a/osquery/sdk/CMakeLists.txt>

Thanks, I will link all the .lib file to my windows app and give it a try. I wish there was a step by step doc describe how to embed SDK into windows app, so we can call the SDK within our app to query instead of relying on the osqueryd service to be running

I understand, but unfortunately that is not the original design and intention. The intention of the (C++) SDK was to be able to write tables in an extension, try them and then port them over "easily" into osquery (because their implementation was already using most of the osquery internals).

Now it's mostly used for adding tables that have performance requirements that are not acceptable for osquery or that violate some other principle

so,as I was saying, there's no standalone SDK

<@U04MFDQAJ94>, in case this helps; depending on whether you’re planning to link certain implementations of Osquery statically or dynamically, CMake’s <https://cmake.org/cmake/help/latest/prop_tgt/WINDOWS_EXPORT_ALL_SYMBOLS.html|WINDOWS_EXPORT_ALL_SYMBOLS> variable may help. But like Stefano said, I think it might be a bit of a pain to get the project working as a library if it was not designed for that purpose. You may also want to double check that it does not violate osquery project licenses if you’re planning to statically link the project.

Also try running the following command: `cmake --build . --target help`
It will show you which targets osquery project generated.
Then you may be able to `add_subdirectory` from your project to osquery’s project certain targets via `target_link_libraries` with the target name generated from osquery. This will probably make things a bit easier instead of restructuring osquery project.