-
-
Notifications
You must be signed in to change notification settings - Fork 81
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Best way to retrieve osquery query run results from external app? #575
Comments
Hi. I have just added the documentation for the existing API endpoint that can be used to download the results of an Osquery run. There are still other undocumented endpoints, and we are planing some work on this part of the project at the beginning of January. Could you describe the workflow you have in mind so that we can evaluate if some of the required endpoints are missing? |
Hi. We'd like to deploy osquery remote configuration to a bunch of hosts, schedule execution of a set of 5-10 queries recurring with different intervals (from a few seconds to 24 hours) while collecting run results via zentral api in order to detect deltas and/or potentially critic conditions in terms of availability or security. |
The scheduled queries produce events when osquery detects changes on a host or every time they run (snapshot mode). Those are automatically collected by Zentral and shipped to the configured event stores. You can also apply some routing to ship some of the query pack results only to some stores. What are called "runs" in Zentral are the distributed or "on demand" queries. We do not turn the results into events, since they do not really align with them. Those are more "exploratory" tools. The API I pointed to is the one to retrieve the results for the "on-demand" queries, not the scheduled ones. Zentral also can do a little bit more with the Osquery queries, when they are written to output a |
Hi. What is the intended way to collect data related to osquery query runs shown in zentral web interface from an externa application? Are there any zentral API exposing such data?
Thanks.
The text was updated successfully, but these errors were encountered: