Osquery is a powerful tool that allows you to investigate and monitor a myriad of endpoint activity, status, and configuration information through a unified SQL interface. Inside osquery, there's typically a 1:1 correspondence between a source of information and the SQL table you can use to browse or search this information. Some sources of information include parts of the
/proc file system, API calls to container daemons, reading logs or status files on disk, and event streams coming from the Linux audit frame.
- Use Cases
- About Us