Osquery is a unified endpoint monitoring framework that exposes operating system internals as relational tables. By representing hardware, network, and process activity as structured data, it allows users to retrieve system state and configuration information using standard SQL syntax.
The system distinguishes itself through a cross-platform abstraction layer that normalizes disparate operating system interfaces into a consistent schema across Windows, macOS, and Linux. It supports both interactive local analysis via a command-line shell and distributed fleet orchestration, where recurring queries are scheduled across multiple hosts to aggregate telemetry and maintain audit trails.
The platform includes native event subscription capabilities that hook into kernel-level interfaces to capture real-time system changes. This data is processed through an asynchronous event bus and can be exported in structured formats for integration with external logging and analysis pipelines. A modular plugin architecture further allows for the extension of core functionality, including custom logging and data retrieval modules.
