• d

    Dhruv Rathod

    6 months ago
    Hi everyone
    instance = osquery.ExtensionClient('\\\\.\pipe\shell.em')
    instance.open()
    client = instance.extension_client()
    print(client.query('select * from time'))
    In this code, it's possible to query osquery via the thrift socket without creating any new extension. I want to ask if it is also possible to set the config and get the logs for the running osquery instance without creating a new extension, and just read/write via the extension_client?
  • s

    seph

    6 months ago
    I don’t understand your question. You can send queries to a running osquery using the socket, yes. And you’ll get back the results. To do this you need to have something that can talk thrift. I’m not sure what you mean by logs here. Osquery writes the logs to a log destination. It does not store them waiting for a query over the thrift socket,
  • d

    Dhruv Rathod

    6 months ago
    Oh, my bad! I saw the logger extension example just now. Sorry for that 😅 What I meant was that: can I implement this config plugin (https://github.com/osquery/osquery-python/blob/master/examples/foobar_config.ext) without creating an extension, and directly communicate with the thrift socket?
  • s

    seph

    6 months ago
    I’m pretty unsure about what you’re asking.
  • At some level, what is an extension anyhow? It’s something that osquery talks to over the thrift socket.
  • You can write whatever you want to talk to osquery over it. There’s not much documentation about the interface, but there are examples.
  • I think osquery uses a pull model for it’s config. So if you wanted to have a config come in via the socket, it has to be something that osquery can pull from, which is probably an extension?
  • But this whole set of questions just has me confused.
  • d

    Dhruv Rathod

    6 months ago
    So sorry for confusing you @seph, tbh I could have and absolutely should've phrased the question better than I could. But you answered my question perfectly! I was just worried about not creating an extension so much, but I finally realized that it didn't matter. I apologize for wasting your time like this though!
  • Just one more question though 😄: https://github.com/osquery/osquery-python/blob/master/examples/foobar_config.ext In this code, the
    content
    method is returning two JSON configs, right? So is there any way to specifically run one of these? Like how is it working actually?
  • s

    seph

    6 months ago
    method is returning two JSON configs, right Huh. That’s an excellent point. I have no idea what that’s doing.
  • Generally speaking, I’d expect a extension to <do something> and return a config. And I’d expect osquery to replace the running config with whatever it got, and then follow the schedule,
  • d

    Dhruv Rathod

    6 months ago
    Yeah, me too. Anyways thankyou so much for your help!