osqueryi
Your OS as a high-performance relational database
Options
| Name | Description |
|---|---|
--flagfile <path> | Line-delimited file of additional flags |
--D | Run as a daemon process |
--S | Run as a shell process |
--alarm_timeout <value> | Seconds to allow for shutdown. Minimum is 10 |
--carver_block_size <value> | Size of blocks used for POSTing data back to remote endpoints |
--carver_compression | Compress archives using zstd prior to upload (default false) |
--carver_continue_endpoint <value> | TLS/HTTPS endpoint that receives carved content after session creation |
--carver_disable_function | Disable the osquery file carver function (default true) |
--carver_expiry <value> | Seconds to store successful carve result metadata (in carves table) |
--carver_start_endpoint <value> | TLS/HTTPS init endpoint for forensic carver |
--config_accelerated_refresh <value> | Interval to wait if reading a configuration fails |
--config_check | Check the format of an osquery config and exit |
--config_dump | Dump the contents of the configuration, then exit |
--config_enable_backup | Backup config and use it when refresh fails |
--config_path <value> | Path to JSON config file |
--config_plugin <value> | Config plugin name |
--config_refresh <value> | Optional interval in seconds to re-read configuration |
--config_tls_endpoint <value> | TLS/HTTPS endpoint for config retrieval |
--config_tls_max_attempts <value> | Number of attempts to retry a TLS config request |
--daemonize | Attempt to daemonize (POSIX only) |
--database_dump | Dump the contents of the backing store |
--database_path <value> | If using a disk-based backing store, specify a path |
--disable_carver | Disable the osquery file carver (default true) |
--disable_enrollment | Disable enrollment functions on related config/logger plugins |
--disable_extensions | Disable extension API |
--disable_reenrollment | Disable re-enrollment attempts if related plugins return invalid |
--disable_tables <value> | Comma-delimited list of table names to be disabled |
--disable_watchdog | Disable userland watchdog process |
--enable_extensions_watchdog | Enable userland watchdog for extensions processes |
--enable_tables <value> | Comma-delimited list of table names to be enabled |
--enroll_always | On startup, send a new enrollment request |
--enroll_secret_env <value> | Name of environment variable holding enrollment-auth secret |
--enroll_secret_path <value> | Path to an optional client enrollment-auth secret |
--enroll_tls_endpoint <value> | TLS/HTTPS endpoint for client enrollment |
--extensions_autoload <value> | Optional path to a list of autoloaded & managed extensions |
--extensions_interval <value> | Seconds delay between connectivity checks |
--extensions_require <value> | Comma-separated list of required extensions |
--extensions_socket <value> | Path to the extensions UNIX domain socket |
--extensions_timeout <value> | Seconds to wait for autoloaded extensions |
--force | Force osqueryd to kill previously-running daemons |
--install | Install osqueryd as a service |
--logger_mode <value> | Octal mode for log files (default '0640') |
--logger_plugin <value> | Logger plugin name |
--logger_stderr | Write status logs to stderr |
--logtostderr | Log messages to stderr in addition to the logger plugin(s) |
--pidfile <value> | Path to the daemon pidfile mutex |
--proxy_hostname <value> | Optional HTTP proxy hostname |
--stderrthreshold <value> | Stderr log level threshold |
--tls_client_cert <value> | Optional path to a TLS client-auth PEM certificate |
--tls_client_key <value> | Optional path to a TLS client-auth PEM private key |
--tls_enroll_max_attempts <value> | The total number of attempts that will be made to the enroll endpoint if a request fails, 0 for infinite |
--tls_enroll_max_interval <value> | Maximum wait time in seconds between enroll retry attempts |
--tls_hostname <value> | TLS/HTTPS hostname for Config, Logger, and Enroll plugins |
--tls_server_certs <value> | Optional path to a TLS server PEM certificate(s) bundle |
--tls_session_reuse | Reuse TLS session sockets |
--tls_session_timeout <value> | TLS session keep alive timeout in seconds |
--uninstall | Uninstall osqueryd as a service |
--watchdog_delay <value> | Initial delay in seconds before watchdog starts |
--watchdog_forced_shutdown_delay <value> | Seconds that the watchdog will wait to do a forced shutdown after a graceful shutdown request, when a resource limit is hit |
--watchdog_latency_limit <value> | Override watchdog profile CPU utilization latency limit |
--watchdog_level <value> | Performance limit level |
--watchdog_memory_limit <value> | Override watchdog profile memory limit (e.g., 300, for 300MB) |
--watchdog_utilization_limit <value> | Override watchdog profile CPU utilization limit |
--audit_allow_config | Allow the audit publisher to change auditing configuration |
--audit_allow_fim_events | Allow the audit publisher to install filesystem-related rules |
--audit_allow_process_events | Allow the audit publisher to install process-related rules |
--audit_allow_sockets | Allow the audit publisher to install socket-related rules |
--audit_allow_user_events | Allow the audit publisher to install user-related rules |
--augeas_lenses <value> | Directory that contains augeas lenses files |
--aws_access_key_id <value> | AWS access key ID |
--aws_debug | Enable AWS SDK debug logging |
--aws_enable_proxy | Enable proxying of HTTP/HTTPS requests in AWS client config |
--aws_firehose_endpoint <value> | Custom Firehose endpoint |
--aws_firehose_period <value> | Seconds between flushing logs to Firehose (default 10) |
--aws_firehose_stream <value> | Name of Firehose stream for logging |
--aws_kinesis_disable_log_status | Disable status logs processing |
--aws_kinesis_endpoint <value> | Custom Kinesis endpoint |
--aws_kinesis_period <value> | Seconds between flushing logs to Kinesis (default 10) |
--aws_kinesis_random_partition_key | Enable random kinesis partition keys |
--aws_kinesis_stream <value> | Name of Kinesis stream for logging |
--aws_profile_name <value> | AWS profile for authentication and region configuration |
--aws_proxy_host <value> | Proxy host for use in AWS client config |
--aws_proxy_password <value> | Proxy password for use in AWS client config |
--aws_proxy_port <value> | Proxy port for use in AWS client config |
--aws_proxy_scheme <value> | Proxy HTTP scheme for use in AWS client config (http or https, default https) |
--aws_proxy_username <value> | Proxy username for use in AWS client config |
--aws_region <value> | AWS region |
--aws_secret_access_key <value> | AWS secret access key |
--aws_session_token <value> | AWS STS session token |
--aws_sts_arn_role <value> | AWS STS ARN role |
--aws_sts_region <value> | AWS STS region |
--aws_sts_session_name <value> | AWS STS session name |
--aws_sts_timeout <value> | AWS STS assume role credential validity in seconds (default 3600) |
--buffered_log_max <value> | Maximum number of logs in buffered output plugins (0 = unlimited) |
--decorations_top_level | Add decorators as top level JSON objects |
--disable_audit | Disable receiving events from the audit subsystem |
--disable_caching | Disable scheduled query caching |
--disable_database | Disable the persistent RocksDB storage |
--disable_decorators | Disable log result decoration |
--disable_distributed | Disable distributed queries (default true) |
--disable_endpointsecurity | Disable receiving events from the EndpointSecurity subsystem |
--disable_endpointsecurity_fim | Disable file events from the EndpointSecurity subsystem |
--disable_events | Disable osquery publish/subscribe system |
--disable_hash_cache | Cache calculated file hashes, re-calculate only if inode times change |
--disable_logging | Disable ERROR/INFO logging |
--distributed_interval <value> | Seconds between polling for new queries (default 60) |
--distributed_loginfo | Log the running distributed queries name at INFO level |
--distributed_plugin <value> | Distributed plugin name |
--distributed_tls_max_attempts <value> | Number of times to attempt a request |
--distributed_tls_read_endpoint <value> | TLS/HTTPS endpoint for distributed query retrieval |
--distributed_tls_write_endpoint <value> | TLS/HTTPS endpoint for distributed query results |
--docker_socket <value> | Docker UNIX domain socket path |
--enable_file_events | Enables the file_events publisher |
--enable_foreign | Enable no-op foreign virtual tables |
--enable_keyboard_events | Enable listening for keyboard events |
--enable_mouse_events | Enable listening for mouse events |
--enable_numeric_monitoring | Enable numeric monitoring system |
--ephemeral | Skip pidfile and database state checks |
--es_fim_mute_path_literal <value> | Comma delimited list of path literals to be muted for FIM |
--es_fim_mute_path_prefix <value> | Comma delimited list of path prefxes to be muted for FIM |
--events_expiry <value> | Timeout to expire event subscriber results |
--events_max <value> | Maximum number of event batches per type to buffer |
--events_optimize | Optimize subscriber select queries (scheduler only) |
--extensions_default_index | Enable INDEX on all extension table columns (default true) |
--hash_cache_max <value> | Size of LRU file hash cache |
--host_identifier <value> | Field used to identify the host running osquery (hostname, uuid, instance, ephemeral, specified) |
--logger_event_type | Log scheduled results as events |
--logger_kafka_acks <value> | The number of acknowledgments the leader has to receive (0, 1, 'all') |
--logger_kafka_brokers <value> | Bootstrap broker(s) as a comma-separated list of host or host:port (default port 9092) |
--logger_kafka_compression <value> | Compression codec to use for compressing message sets ('none' or 'gzip') |
--logger_kafka_topic <value> | Kafka topic to publish logs under |
--logger_min_status <value> | Minimum level for status log recording |
--logger_min_stderr <value> | Minimum level for statuses written to stderr |
--logger_numerics | Use numeric JSON syntax for numeric values |
--logger_path <value> | Directory path for ERROR/WARN/INFO and results logging |
--logger_rotate | Use filesystem log rotation |
--logger_rotate_max_files <value> | Max number of files to keep in rotation |
--logger_rotate_size <value> | Size for each filesystem log in bytes |
--logger_snapshot_event_type | Log scheduled snapshot results as events |
--logger_syslog_facility <value> | Syslog facility for status and results logs (0-23, default 19) |
--logger_syslog_prepend_cee | Prepend @cee: tag to logged JSON messages |
--logger_tls_compress | GZip compress TLS/HTTPS request body |
--logger_tls_endpoint <value> | TLS/HTTPS endpoint for results logging |
--logger_tls_max_lines <value> | Max number of logs to send per period |
--logger_tls_max_linesize <value> | Max size in bytes allowed per log line |
--logger_tls_period <value> | Seconds between flushing logs over TLS/HTTPS |
--nullvalue <value> | Set string for NULL values, default '' |
--numeric_monitoring_filesystem_path <value> | File to dump numeric monitoring records one per line. The format of the line is <PATH><TAB><VALUE><TAB><TIMESTAMP> |
--numeric_monitoring_plugins <value> | Comma separated numeric monitoring plugins names |
--numeric_monitoring_pre_aggregation_time <value> | Time period in seconds for numeric monitoring pre-aggregation buffer |
--pack_delimiter <value> | Delimiter for pack and query names |
--pack_refresh_interval <value> | Cache expiration for a packs discovery queries |
--read_max <value> | Maximum file read size |
--schedule_default_interval <value> | Query interval to use if none is provided |
--schedule_epoch <value> | Epoch for scheduled queries |
--schedule_lognames | Log the running scheduled query name at INFO level |
--schedule_max_drift <value> | Max time drift in seconds |
--schedule_reload <value> | Interval in seconds to reload database arenas |
--schedule_splay_percent <value> | Percent to splay config times |
--schedule_timeout <value> | Limit the schedule to a duration in seconds, 0 for no limit |
--specified_identifier <value> | Field used to specify the host_identifier when set to 'specified' |
--table_delay <value> | Add an optional microsecond delay between table scans |
--table_exceptions | Allow tables to throw exceptions |
--thrift_string_size_limit <value> | Sets the maximum string size allowed in a thrift message, use 0 for unlimited |
--thrift_timeout <value> | Timeout for thrift socket operations |
--thrift_verbose | Enable the thrift log handler |
--tls_disable_status_log | Disable sending status logs |
--verbose | Enable verbose informational messages |
--worker_threads <value> | Number of work dispatch threads |
--yara_delay <value> | Time in ms to sleep after scan of each file (default 50) to reduce memory spikes |
--A <value> | Select all from a table |
--L | List all table names |
--connect <value> | Connect to an extension socket |
--csv | Set output mode to 'csv' |
--extension <value> | Path to a single extension to autoload |
--header | Toggle column headers true/false |
--json | Set output mode to 'json' |
--json_pretty | Set output mode to 'json_pretty' |
--line | Set output mode to 'line' |
--list | Set output mode to 'list' |
--pack <value> | Run all queries in a pack |
--planner | Enable osquery runtime planner output |
--profile <value> | Enable profile mode when non-0, set number of iterations |
--separator <value> | Set output field separator, default '|' |