# osquery/osquery **Attribution required: if you use, quote, or summarise this content, you must credit and link back to [awesome-repositories.com](https://awesome-repositories.com/repository/osquery-osquery).** 23,113 stars · 2,552 forks · C++ · other ## Links - GitHub: https://github.com/osquery/osquery - Homepage: https://osquery.io - awesome-repositories: https://awesome-repositories.com/repository/osquery-osquery.md ## Topics `hacktoberfest` `intrusion-detection` `monitoring` `security` `sql` ## Description Osquery is a unified endpoint monitoring framework that exposes operating system internals as relational tables. By representing hardware, network, and process activity as structured data, it allows users to retrieve system state and configuration information using standard SQL syntax. The system distinguishes itself through a cross-platform abstraction layer that normalizes disparate operating system interfaces into a consistent schema across Windows, macOS, and Linux. It supports both interactive local analysis via a command-line shell and distributed fleet orchestration, where recurring queries are scheduled across multiple hosts to aggregate telemetry and maintain audit trails. The platform includes native event subscription capabilities that hook into kernel-level interfaces to capture real-time system changes. This data is processed through an asynchronous event bus and can be exported in structured formats for integration with external logging and analysis pipelines. A modular plugin architecture further allows for the extension of core functionality, including custom logging and data retrieval modules. ## Tags ### Data & Databases - [System State Querying](https://awesome-repositories.com/f/data-databases/sql-query-interfaces/system-state-querying.md) — Exposes operating system internals as relational tables, allowing system state and configuration to be queried using standard SQL. ([source](https://osquery.readthedocs.org/en/latest/introduction/using-osqueryi/)) - [SQL Query Interfaces](https://awesome-repositories.com/f/data-databases/sql-query-interfaces.md) — Exposes operating system internals as relational tables to query system state and configuration using standard SQL syntax. - [Distributed Task Schedulers](https://awesome-repositories.com/f/data-databases/distributed-task-schedulers.md) — Supports scheduling recurring SQL queries across a fleet of hosts to aggregate state changes and monitor infrastructure. ([source](https://osquery.readthedocs.org/)) - [Interactive Data Querying Tools](https://awesome-repositories.com/f/data-databases/interactive-data-querying-tools.md) — Includes an interactive shell for prototyping and executing SQL queries against system data to facilitate immediate analysis. ([source](https://osquery.readthedocs.org/en/latest/introduction/using-osqueryi/)) - [Search Result Exporters](https://awesome-repositories.com/f/data-databases/search-result-aggregators/search-result-exporters.md) — Exports query results into structured formats like JSON or CSV for integration with external analysis pipelines. ([source](https://osquery.readthedocs.org/en/latest/introduction/using-osqueryi/)) ### Operating Systems & Systems Programming - [SQL-Based](https://awesome-repositories.com/f/operating-systems-systems-programming/kernel-core-internals/system-programming-primitives/system-abstractions/sql-based.md) — Exposes operating system internals as virtual relational tables to allow standard query language access to system state. ### System Administration & Monitoring - [Endpoint Monitoring Agents](https://awesome-repositories.com/f/system-administration-monitoring/telemetry-and-monitoring-agents/endpoint-monitoring-agents.md) — Provides a unified agent for tracking hardware, network, and process activity across Windows, macOS, and Linux. - [Real-Time Event Watchers](https://awesome-repositories.com/f/system-administration-monitoring/real-time-event-watchers.md) — Hooks into native kernel interfaces to capture and stream real-time system state changes via an asynchronous event bus. ([source](https://osquery.readthedocs.org/en/latest/introduction/using-osqueryd/)) - [Security Monitoring](https://awesome-repositories.com/f/system-administration-monitoring/security-monitoring.md) — Runs recurring SQL queries across multiple hosts to track system state changes and identify potential security threats. - [Cross-Platform Management Systems](https://awesome-repositories.com/f/system-administration-monitoring/administrative-operations/configuration-control-utilities/system-administration-tools/cross-platform-management-systems.md) — Provides a unified toolset for monitoring diverse operating systems to ensure consistent data collection across heterogeneous environments. ([source](https://osquery.readthedocs.org/)) - [Audit Logging Systems](https://awesome-repositories.com/f/system-administration-monitoring/audit-logging-systems.md) — Records hardware, network, and file system changes by connecting to native operating system interfaces to maintain activity trails. - [Cross-Platform Administration Tools](https://awesome-repositories.com/f/system-administration-monitoring/cross-platform-administration-tools.md) — Monitors diverse operating systems using a unified toolset to ensure consistent data collection across infrastructure. - [System Diagnostic Interfaces](https://awesome-repositories.com/f/system-administration-monitoring/system-diagnostic-interfaces.md) — Provides a command-line interface for interactive exploration of system state and local troubleshooting. ([source](https://osquery.readthedocs.org/)) - [Data Export Pipelines](https://awesome-repositories.com/f/system-administration-monitoring/data-export-pipelines.md) — Exports structured system data into external logging pipelines to simplify centralized monitoring and performance tracking. ### Security & Cryptography - [Security Testing and Auditing](https://awesome-repositories.com/f/security-cryptography/vulnerability-assessment-testing/security-testing-auditing.md) — Provides a framework for scheduling recurring queries across a fleet of hosts to maintain audit trails and detect unauthorized modifications. - [Incident Response](https://awesome-repositories.com/f/security-cryptography/incident-response.md) — Uses an interactive command-line interface to explore operating system internals and troubleshoot issues during investigations. ### Software Engineering & Architecture - [Cross-Platform Abstraction Layers](https://awesome-repositories.com/f/software-engineering-architecture/cross-platform-abstraction-layers.md) — Normalizes disparate operating system APIs into a unified internal schema for consistent cross-platform data representation. - [SQL Query Schedulers](https://awesome-repositories.com/f/software-engineering-architecture/execution-control/sql-query-schedulers.md) — Enables recurring SQL query execution on defined intervals to track infrastructure state changes over time. ([source](https://osquery.readthedocs.org/en/latest/introduction/using-osqueryd/)) - [Plugin Architectures](https://awesome-repositories.com/f/software-engineering-architecture/integration-extensibility/extensibility/plugin-architectures.md) — Uses a decoupled interface system to allow developers to extend core functionality with custom modules. - [Asynchronous Event Dispatchers](https://awesome-repositories.com/f/software-engineering-architecture/asynchronous-event-dispatchers.md) — Processes system state changes through a non-blocking message bus to ensure high-performance monitoring. ### DevOps & Infrastructure - [Distributed Task Orchestration](https://awesome-repositories.com/f/devops-infrastructure/distributed-task-orchestration.md) — Coordinates the execution of scheduled tasks across a fleet of remote nodes to aggregate system telemetry. ### Networking & Communication - [Event Subscriptions](https://awesome-repositories.com/f/networking-communication/communication-platforms-services/messaging-notification-systems/messaging-services/event-subscriptions.md) — Hooks directly into kernel-level notification interfaces to capture real-time system changes.