OSQuery: Get your system info like you were querying a database

So I discovered this really cool project called OSQuery by Facebook. It exposes an operating system as a high-performance relational database. This means you can get information about your system via SQL-like queries which is awesome.

If you have ever tried to build a system monitoring system for instance which requires crunching some system metrics, you know how hard it is to parse that info. You will have to use a number of bash scripts heavily reliant on text processing tools like grep or awk or sed to parse the right info.

For instance consider this bash script which gets interface IP address;

ifconfig | awk -F "[: ]+" '/inet addr:/ { if ($4 != "127.0.0.1") print $4 }'                                      ~  
192.168.100.171  
10.0.3.1  
192.168.0.101  

Now imagine you could achieve the same by simply entering select * from interface_addresses;. Wow, how convenient.

The following are some of the other examples of queries you can run with OSQuery.

asciicast

#Get your system info
osquery> select * from system_info;  
          hostname = daverig.oquidave.loc
              uuid = c2dea581-1443-43e2-b3dd-06ef4147c95c
          cpu_type = 6
       cpu_subtype = 69
         cpu_brand = Intel(R) Core(TM) i3-4030U CPU @ 1.90GHz
cpu_physical_cores = 4  
 cpu_logical_cores = 4
   physical_memory = 8257159168
   hardware_vendor = 
    hardware_model = 
  hardware_version = 
   hardware_serial = 
     computer_name = daverig.oquidave.loc

#Get all users
osquery> select * from users;  
        uid = 0
        gid = 0
 uid_signed = 0
 gid_signed = 0
   username = root
description = root  
  directory = /root
      shell = /bin/bash
       uuid = 

        uid = 1
        gid = 1
 uid_signed = 1
 gid_signed = 1
   username = daemon
description = daemon  
  directory = /usr/sbin
      shell = /usr/sbin/nologin
       uuid = 

#Get USB devices 
osquery> select * from usb_devices;  
usb_address = 2  
   usb_port = 1
     vendor = Linux Foundation
  vendor_id = 1d6b
      model = 2.0 root hub
   model_id = 0002
     serial = 0000:00:14.0
  removable = -1

usb_address = 2  
   usb_port = 
     vendor = Foxconn / Hon Hai
  vendor_id = 0489
      model = 
   model_id = e078
     serial = 
  removable = -1

#Get ip routes 
osquery> select * from routes;  
destination = 0.0.0.0  
    netmask = 0
    gateway = 192.168.0.1
     source = 
      flags = 0
  interface = wlan0
        mtu = 0
     metric = 600
       type = gateway

destination = 10.0.3.0  
    netmask = 24
    gateway = 
     source = 10.0.3.1
      flags = 0
  interface = lxcbr0
        mtu = 0
     metric = 0
       type = gateway

#Get name servers; 
osquery> select * from dns_resolvers;  
     id = 0
   type = nameserver
address = 127.0.1.1  
netmask = 32  
options = 524993

     id = 0
   type = search
address = oquidave.loc  
netmask =  
options = 524993

#Interfaces
osquery> select * from interface_addresses;  
     interface = lo
       address = 127.0.0.1
          mask = 255.0.0.0
     broadcast = 
point_to_point = 127.0.0.1

     interface = eth0
       address = 192.168.100.171
          mask = 255.255.255.0
     broadcast = 192.168.100.255
point_to_point = 

select address, mask from interface_addresses where interface="wlan0";  
address = 192.168.0.101  
   mask = 255.255.255.0

While OSquery seems to be in its early stages, I can definitely see its promise to Admins and devs who want to write system monitoring tools.

David Okwii

David Okwii is a Ugandan-based Technology writer and System's Engineer.

Kampala Uganda http://www.davidokwii.com

Subscribe to oquidave@geek:~ #

Get the latest posts delivered right to your inbox.

or subscribe via RSS with Feedly!