osquery(1)
Query the state of your Linux system using SQL-like syntax; part of the osquery ecosystem for systems monitoring and incident response.
Synopsis
osqueryi [OPTIONS]
osqueryd [OPTIONS]
echo 'SELECT * FROM processes;' | osqueryiDescription
osquery is a framework that uses SQL to query operating system data. It exposes system information through virtual tables—processes, users, network connections, packages, and more—allowing you to perform complex forensics and compliance checks using familiar SQL queries.
osqueryi is the interactive shell; osqueryd is the background daemon used for continuous monitoring. Both read from a config file and can output results in JSON, CSV, or line-delimited formats.
Common use cases include auditing installed software, detecting unauthorized network connections, monitoring process execution, and verifying security configurations at scale.
Common options
| Flag | What it does |
|---|---|
--config_path PATH | Path to the config file (JSON format); defines monitored paths, queries, and options |
--flagfile PATH | Read command-line flags from a file, one per line |
--json | Output results as JSON |
--csv | Output results as comma-separated values |
--line | Output results as newline-delimited JSON |
--database PATH | Path to the osquery RocksDB file for osqueryd to store state |
--disable_logging | Disable logging to disk (useful for testing) |
--verbose | Increase logging verbosity; can be repeated |
--help | Display help message and all available flags |
Examples
Start the interactive osquery shell; displays a prompt where you can run SQL queries
osqueryiQuery running processes named sshd and return results as JSON
osqueryi --json "SELECT pid, name, cmdline FROM processes WHERE name='sshd';"List the first 10 installed packages with their versions (Debian/Ubuntu)
echo "SELECT package, version FROM deb_packages LIMIT 10;" | osqueryi --jsonFind all system users (UID below 1000)
osqueryi "SELECT user, uid, gid FROM users WHERE uid < 1000;"Start the osqueryd daemon using config from flags file and state database
osqueryd --flagfile /etc/osquery/osquery.flags --database /var/osquery/osquery.dbFind processes with open SSH connections
osqueryi "SELECT address, port, state FROM process_open_sockets WHERE remote_port=22;"Export current iptables rules to CSV for audit purposes
osqueryi --csv "SELECT * FROM iptables;" > firewall_rules.csv