| type | user | tty | host | time | pid | Question 7: Find who is logged into the system SELECT pid, name, ROUND((total_size * '10e-7'), 2) AS used FROM processes ORDER BY total_size DESC LIMIT 5 Question 6: Find top 5 most memory intensive processes SUM(COALESCE(idle, 0)) + SUM(COALESCE(iowait, 0)) AS itsb SUM(user) + SUM(nice) + SUM(system) + SUM(idle) * 1.0) AS tsb, (user_time + system_time) / (cpu_time.tsb - cpu_sb) Question 5: Find top 5 most CPU intensive processes Osquery> select p.pid, p.name, p.state,p.uid, lp.port from processes p join listening_ports lp on p.pid = lp.pid and lp.port=8080 We can also join it with processes table to get more information | pid | port | protocol | family | address | fd | socket | path | Select pid from listening_ports where port = 8080 Question 4: Find the process running on port 8080 | display_name | bundle_short_version | bundle_version | Select display_name, bundle_short_version, bundle_version from apps limit 1 Question 3: Find apps installed on machine Select path, type, round((blocks_available * blocks_size *10e-10),2) as gigs_free from mounts where path='/' Question 2: Find remaining hard disk storage | cpu_type | cpu_brand | hardware_vendor | hardware_model | Select cpu_type, cpu_brand, hardware_vendor, hardware_model from system_info So, let’s osquery by asking few questions.īefore we start querying let’s query all the osquery tables. The best way to learn a tool is to use it. Need help, type '.help'įor some queries that require system level access you need to run with sudo 10 things you can do with Osquery Once inside the shell you will see following You can now login to osquery shell by typing osqueryi osqueryctl: A helper script for testing a deployment or configuration of osquery.osqueryd: A daemon for scheduling and running queries in the background.osqueryi: The interactive osquery shell, for performing ad-hoc queries.If you are using Mac then you can also use brew to download and install osquery. You can download Osquery binary from the official page. ![]() Osquery is open source and there is a big community behind it.This means you can use a single tool to work with different OS Because Osquery uses SQL you can join multiple tables together to perform detailed analysis. ![]() You can write tables if they currently does not exist. Anyone with the basic knowledge of SQL can start using it in minutes. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |