CentOS 7
Ads

OSQuery : Install
2016/10/16
 
Install OSQuery by Facebook to monitor information of System.
It's possible to see various System informations with queries like SQL.
[1] Install OSQuery.
[root@dlp ~]#
yum -y install https://osquery-packages.s3.amazonaws.com/centos7/noarch/osquery-s3-centos7-repo-1-0.0.noarch.rpm

[root@dlp ~]#
yum -y install osquery
[2] These are some examples of Basic Operation of OSQuery. Refer to the official site below to see the details of all tables.
  ⇒ https://osquery.io/docs/tables/
# run osquery shell

[root@dlp ~]#
osqueryi

osquery - being built, with love, at Facebook
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Using a virtual database. Need help, type '.help'
osquery> 

# show all column of tables for OS version
osquery> select * from os_version; 
+--------------+-------+-------+-------+-------+
| name         | major | minor | patch | build |
+--------------+-------+-------+-------+-------+
| CentOS Linux | 7     | 2     | 1511  |       |
+--------------+-------+-------+-------+-------+

# show some column of tables for System info
osquery> select hostname, cpu_brand, hardware_vendor, hardware_model from system_info; 
+---------------+-------------------------------------------+-----------------+----------------+
| hostname      | cpu_brand                                 | hardware_vendor | hardware_model |
+---------------+-------------------------------------------+-----------------+----------------+
| dlp.srv.world | Intel(R) Xeon(R) CPU E5-2660 v3 @ 2.60GHz | Red Hat         | KVM            |
+---------------+-------------------------------------------+-----------------+----------------+

# show some column of tables and also specify over 1000 of UID for User info
osquery> select uid, gid, username, shell from users where uid >= 1000; 
+------+------+----------+-----------+
| uid  | gid  | username | shell     |
+------+------+----------+-----------+
| 1000 | 1000 | cent     | /bin/bash |
| 1001 | 1001 | redhat   | /bin/bash |
| 1002 | 1002 | ubuntu   | /bin/bash |
+------+------+----------+-----------+

# show all column of tables for CPU Time
osquery> select * from cpu_time; 
+------+------+------+--------+--------+--------+-----+---------+-------+-------+------------+
| core | user | nice | system | idle   | iowait | irq | softirq | steal | guest | guest_nice |
+------+------+------+--------+--------+--------+-----+---------+-------+-------+------------+
| 0    | 870  | 0    | 597    | 298134 | 4      | 0   | 11      | 8     | 0     | 0          |
| 1    | 3717 | 0    | 1164   | 294858 | 10     | 0   | 3       | 1     | 0     | 0          |
| 2    | 1189 | 0    | 873    | 297573 | 13     | 0   | 0       | 33    | 0     | 0          |
| 3    | 1150 | 0    | 1233   | 297503 | 6      | 0   | 0       | 2     | 0     | 0          |
+------+------+------+--------+--------+--------+-----+---------+-------+-------+------------+

# to quit shell, push Ctrl+D 
osquery> 
[root@dlp ~]#
 
Tweet