osqueryi

Your OS as a high-performance relational database

Options

NameDescription
--flagfile <path>Line-delimited file of additional flags
--DRun as a daemon process
--SRun as a shell process
--alarm_timeout <value>Seconds to allow for shutdown. Minimum is 10
--carver_block_size <value>Size of blocks used for POSTing data back to remote endpoints
--carver_compressionCompress archives using zstd prior to upload (default false)
--carver_continue_endpoint <value>TLS/HTTPS endpoint that receives carved content after session creation
--carver_disable_functionDisable the osquery file carver function (default true)
--carver_expiry <value>Seconds to store successful carve result metadata (in carves table)
--carver_start_endpoint <value>TLS/HTTPS init endpoint for forensic carver
--config_accelerated_refresh <value>Interval to wait if reading a configuration fails
--config_checkCheck the format of an osquery config and exit
--config_dumpDump the contents of the configuration, then exit
--config_enable_backupBackup config and use it when refresh fails
--config_path <value>Path to JSON config file
--config_plugin <value>Config plugin name
--config_refresh <value>Optional interval in seconds to re-read configuration
--config_tls_endpoint <value>TLS/HTTPS endpoint for config retrieval
--config_tls_max_attempts <value>Number of attempts to retry a TLS config request
--daemonizeAttempt to daemonize (POSIX only)
--database_dumpDump the contents of the backing store
--database_path <value>If using a disk-based backing store, specify a path
--disable_carverDisable the osquery file carver (default true)
--disable_enrollmentDisable enrollment functions on related config/logger plugins
--disable_extensionsDisable extension API
--disable_reenrollmentDisable re-enrollment attempts if related plugins return invalid
--disable_tables <value>Comma-delimited list of table names to be disabled
--disable_watchdogDisable userland watchdog process
--enable_extensions_watchdogEnable userland watchdog for extensions processes
--enable_tables <value>Comma-delimited list of table names to be enabled
--enroll_alwaysOn startup, send a new enrollment request
--enroll_secret_env <value>Name of environment variable holding enrollment-auth secret
--enroll_secret_path <value>Path to an optional client enrollment-auth secret
--enroll_tls_endpoint <value>TLS/HTTPS endpoint for client enrollment
--extensions_autoload <value>Optional path to a list of autoloaded & managed extensions
--extensions_interval <value>Seconds delay between connectivity checks
--extensions_require <value>Comma-separated list of required extensions
--extensions_socket <value>Path to the extensions UNIX domain socket
--extensions_timeout <value>Seconds to wait for autoloaded extensions
--forceForce osqueryd to kill previously-running daemons
--installInstall osqueryd as a service
--logger_mode <value>Octal mode for log files (default '0640')
--logger_plugin <value>Logger plugin name
--logger_stderrWrite status logs to stderr
--logtostderrLog messages to stderr in addition to the logger plugin(s)
--pidfile <value>Path to the daemon pidfile mutex
--proxy_hostname <value>Optional HTTP proxy hostname
--stderrthreshold <value>Stderr log level threshold
--tls_client_cert <value>Optional path to a TLS client-auth PEM certificate
--tls_client_key <value>Optional path to a TLS client-auth PEM private key
--tls_enroll_max_attempts <value>The total number of attempts that will be made to the enroll endpoint if a request fails, 0 for infinite
--tls_enroll_max_interval <value>Maximum wait time in seconds between enroll retry attempts
--tls_hostname <value>TLS/HTTPS hostname for Config, Logger, and Enroll plugins
--tls_server_certs <value>Optional path to a TLS server PEM certificate(s) bundle
--tls_session_reuseReuse TLS session sockets
--tls_session_timeout <value>TLS session keep alive timeout in seconds
--uninstallUninstall osqueryd as a service
--watchdog_delay <value>Initial delay in seconds before watchdog starts
--watchdog_forced_shutdown_delay <value>Seconds that the watchdog will wait to do a forced shutdown after a graceful shutdown request, when a resource limit is hit
--watchdog_latency_limit <value>Override watchdog profile CPU utilization latency limit
--watchdog_level <value>Performance limit level
--watchdog_memory_limit <value>Override watchdog profile memory limit (e.g., 300, for 300MB)
--watchdog_utilization_limit <value>Override watchdog profile CPU utilization limit
--audit_allow_configAllow the audit publisher to change auditing configuration
--audit_allow_fim_eventsAllow the audit publisher to install filesystem-related rules
--audit_allow_process_eventsAllow the audit publisher to install process-related rules
--audit_allow_socketsAllow the audit publisher to install socket-related rules
--audit_allow_user_eventsAllow the audit publisher to install user-related rules
--augeas_lenses <value>Directory that contains augeas lenses files
--aws_access_key_id <value>AWS access key ID
--aws_debugEnable AWS SDK debug logging
--aws_enable_proxyEnable proxying of HTTP/HTTPS requests in AWS client config
--aws_firehose_endpoint <value>Custom Firehose endpoint
--aws_firehose_period <value>Seconds between flushing logs to Firehose (default 10)
--aws_firehose_stream <value>Name of Firehose stream for logging
--aws_kinesis_disable_log_statusDisable status logs processing
--aws_kinesis_endpoint <value>Custom Kinesis endpoint
--aws_kinesis_period <value>Seconds between flushing logs to Kinesis (default 10)
--aws_kinesis_random_partition_keyEnable random kinesis partition keys
--aws_kinesis_stream <value>Name of Kinesis stream for logging
--aws_profile_name <value>AWS profile for authentication and region configuration
--aws_proxy_host <value>Proxy host for use in AWS client config
--aws_proxy_password <value>Proxy password for use in AWS client config
--aws_proxy_port <value>Proxy port for use in AWS client config
--aws_proxy_scheme <value>Proxy HTTP scheme for use in AWS client config (http or https, default https)
--aws_proxy_username <value>Proxy username for use in AWS client config
--aws_region <value>AWS region
--aws_secret_access_key <value>AWS secret access key
--aws_session_token <value>AWS STS session token
--aws_sts_arn_role <value>AWS STS ARN role
--aws_sts_region <value>AWS STS region
--aws_sts_session_name <value>AWS STS session name
--aws_sts_timeout <value>AWS STS assume role credential validity in seconds (default 3600)
--buffered_log_max <value>Maximum number of logs in buffered output plugins (0 = unlimited)
--decorations_top_levelAdd decorators as top level JSON objects
--disable_auditDisable receiving events from the audit subsystem
--disable_cachingDisable scheduled query caching
--disable_databaseDisable the persistent RocksDB storage
--disable_decoratorsDisable log result decoration
--disable_distributedDisable distributed queries (default true)
--disable_endpointsecurityDisable receiving events from the EndpointSecurity subsystem
--disable_endpointsecurity_fimDisable file events from the EndpointSecurity subsystem
--disable_eventsDisable osquery publish/subscribe system
--disable_hash_cacheCache calculated file hashes, re-calculate only if inode times change
--disable_loggingDisable ERROR/INFO logging
--distributed_interval <value>Seconds between polling for new queries (default 60)
--distributed_loginfoLog the running distributed queries name at INFO level
--distributed_plugin <value>Distributed plugin name
--distributed_tls_max_attempts <value>Number of times to attempt a request
--distributed_tls_read_endpoint <value>TLS/HTTPS endpoint for distributed query retrieval
--distributed_tls_write_endpoint <value>TLS/HTTPS endpoint for distributed query results
--docker_socket <value>Docker UNIX domain socket path
--enable_file_eventsEnables the file_events publisher
--enable_foreignEnable no-op foreign virtual tables
--enable_keyboard_eventsEnable listening for keyboard events
--enable_mouse_eventsEnable listening for mouse events
--enable_numeric_monitoringEnable numeric monitoring system
--ephemeralSkip pidfile and database state checks
--es_fim_mute_path_literal <value>Comma delimited list of path literals to be muted for FIM
--es_fim_mute_path_prefix <value>Comma delimited list of path prefxes to be muted for FIM
--events_expiry <value>Timeout to expire event subscriber results
--events_max <value>Maximum number of event batches per type to buffer
--events_optimizeOptimize subscriber select queries (scheduler only)
--extensions_default_indexEnable INDEX on all extension table columns (default true)
--hash_cache_max <value>Size of LRU file hash cache
--host_identifier <value>Field used to identify the host running osquery (hostname, uuid, instance, ephemeral, specified)
--logger_event_typeLog scheduled results as events
--logger_kafka_acks <value>The number of acknowledgments the leader has to receive (0, 1, 'all')
--logger_kafka_brokers <value>Bootstrap broker(s) as a comma-separated list of host or host:port (default port 9092)
--logger_kafka_compression <value>Compression codec to use for compressing message sets ('none' or 'gzip')
--logger_kafka_topic <value>Kafka topic to publish logs under
--logger_min_status <value>Minimum level for status log recording
--logger_min_stderr <value>Minimum level for statuses written to stderr
--logger_numericsUse numeric JSON syntax for numeric values
--logger_path <value>Directory path for ERROR/WARN/INFO and results logging
--logger_rotateUse filesystem log rotation
--logger_rotate_max_files <value>Max number of files to keep in rotation
--logger_rotate_size <value>Size for each filesystem log in bytes
--logger_snapshot_event_typeLog scheduled snapshot results as events
--logger_syslog_facility <value>Syslog facility for status and results logs (0-23, default 19)
--logger_syslog_prepend_ceePrepend @cee: tag to logged JSON messages
--logger_tls_compressGZip compress TLS/HTTPS request body
--logger_tls_endpoint <value>TLS/HTTPS endpoint for results logging
--logger_tls_max_lines <value>Max number of logs to send per period
--logger_tls_max_linesize <value>Max size in bytes allowed per log line
--logger_tls_period <value>Seconds between flushing logs over TLS/HTTPS
--nullvalue <value>Set string for NULL values, default ''
--numeric_monitoring_filesystem_path <value>File to dump numeric monitoring records one per line. The format of the line is <PATH><TAB><VALUE><TAB><TIMESTAMP>
--numeric_monitoring_plugins <value>Comma separated numeric monitoring plugins names
--numeric_monitoring_pre_aggregation_time <value>Time period in seconds for numeric monitoring pre-aggregation buffer
--pack_delimiter <value>Delimiter for pack and query names
--pack_refresh_interval <value>Cache expiration for a packs discovery queries
--read_max <value>Maximum file read size
--schedule_default_interval <value>Query interval to use if none is provided
--schedule_epoch <value>Epoch for scheduled queries
--schedule_lognamesLog the running scheduled query name at INFO level
--schedule_max_drift <value>Max time drift in seconds
--schedule_reload <value>Interval in seconds to reload database arenas
--schedule_splay_percent <value>Percent to splay config times
--schedule_timeout <value>Limit the schedule to a duration in seconds, 0 for no limit
--specified_identifier <value>Field used to specify the host_identifier when set to 'specified'
--table_delay <value>Add an optional microsecond delay between table scans
--table_exceptionsAllow tables to throw exceptions
--thrift_string_size_limit <value>Sets the maximum string size allowed in a thrift message, use 0 for unlimited
--thrift_timeout <value>Timeout for thrift socket operations
--thrift_verboseEnable the thrift log handler
--tls_disable_status_logDisable sending status logs
--verboseEnable verbose informational messages
--worker_threads <value>Number of work dispatch threads
--yara_delay <value>Time in ms to sleep after scan of each file (default 50) to reduce memory spikes
--A <value>Select all from a table
--LList all table names
--connect <value>Connect to an extension socket
--csvSet output mode to 'csv'
--extension <value>Path to a single extension to autoload
--headerToggle column headers true/false
--jsonSet output mode to 'json'
--json_prettySet output mode to 'json_pretty'
--lineSet output mode to 'line'
--listSet output mode to 'list'
--pack <value>Run all queries in a pack
--plannerEnable osquery runtime planner output
--profile <value>Enable profile mode when non-0, set number of iterations
--separator <value>Set output field separator, default '|'