Osquery FAQedit

This list of frequently asked questions answers common questions about using Osquery in Kibana.

How is Osquery Manager different from Osquery?edit

The Osquery Manager integration brings Osquery capabilities to the Elastic Stack and makes it easier to manage Osquery across a large number of hosts. Most Osquery functionality works the same way in Kibana as it does when you deploy Osquery yourself. However, there are a few differences and known issues, outlined below.

How do I grant Full Disk Access?edit

Full Disk Access (FDA) is required to fully query some tables on MacOS. Granting FDA is not yet supported for Osquery Manager. This impacts a small set of tables that access file directories that are restricted due to heightened permissions from Apple, including file, file_events, es_process_events, and any custom tables configured with ATC that require access to these directories. When querying these tables, you won’t get results from the restricted directories.

Why can’t I query the carves table?edit

File carving is not yet supported in the Elastic Stack, and carves table queries do not return results.

Does the Osquery .help command work in Kibana?edit

The Osquery .help command is not available when running live queries in Kibana. Instead, refer to the Osquery schema for all available tables, fields, and supported Operating Systems for each.

Can I use Osquery extensions in Kibana?edit

Osquery Manager does not currently support Osquery extensions.

Can I do File Integrity Monitoring (FIM)?edit

Yes, you can set up Osquery FIM using the Advanced configuration option for Osquery Manager (see Customize Osquery configuration). However, Elastic also provides a File Integrity Monitoring integration for Elastic Agent, which might prove to be easier to configure than the current options available for Osquery Manager.

Where can I get help with osquery syntax?edit

Osquery uses a superset of SQLite for queries. To get started with osquery SQL, refer to the Osquery documentation. For help with more advanced questions, the Osquery community has an active Slack workspace and GitHub project. You can find links for both at osquery.io.

How often is Osquery updated for Osquery Manager?edit

When a new version of Osquery is released, it is included in a subsequent Elastic Agent release and applied when the agent is upgraded. After that, when running queries from Osquery Manager in Kibana, the updated Osquery version is used. Refer to the Fleet and Elastic Agent Guide for help with upgrading Fleet-managed Elastic Agents.

To check what Osquery version is installed on an Elastic Agent, you can run SELECT version FROM osquery_info; as a live query in Kibana. The version in the response is the Osquery version installed on the agent.