碼上快樂

相關內容    簡體    繁體

osquery簡單試用

本文轉載自   查看原文   2018-04-14 20:50   2750    雲運維&&雲架構/ devops/ 持續集成/ 性能優化/ 監控/ 服務器/ 工具/ 指南/ 協議學習

備注:

 osquery  facebook 開源的將操作系統指標轉換為sql 查詢,方便好用,很適合devops 性能分析,系統監控

1. 安裝

參考 https://osquery.io/downloads/official/2.11.2
我使用的是centos 使用rpm 包安裝

wget https://pkg.osquery.io/rpm/osquery-2.11.2-1.linux.x86_64.rpm

yum install -y osquery-2.11.2-1.linux.x86_64.rpm
 
2. 基本使用 
a. 簡單sql

osqueryi

比如我要查詢系統的用戶

select * from users;

b. 查看系統的表

.table

=> acpi_tables
  => apt_sources
  => arp_cache
  => augeas
  => authorized_keys
  => block_devices
  => carbon_black_info
  => carves
  => chrome_extensions
  => cpu_time
  => cpuid
  => crontab
  => curl
  => curl_certificate
  => deb_packages
  => device_file
  => device_hash
  => device_partitions
  => disk_encryption
  => dns_resolvers
  => docker_container_labels
  => docker_container_mounts
  => docker_container_networks
  => docker_container_ports
  => docker_container_processes
  => docker_container_stats
  => docker_containers
  => docker_image_labels
  => docker_images
  => docker_info
  => docker_network_labels
  => docker_networks
  => docker_version
  => docker_volume_labels
  => docker_volumes
  => ec2_instance_metadata
  => ec2_instance_tags
  => etc_hosts
  => etc_protocols
  => etc_services
  => file
  => file_events
  => firefox_addons
  => groups
  => hardware_events
  => hash
  => intel_me_info
  => interface_addresses
  => interface_details
  => iptables
  => kernel_info
  => kernel_integrity
  => kernel_modules
  => known_hosts
  => last
  => listening_ports
  => lldp_neighbors
  => load_average
  => logged_in_users
  => magic
  => md_devices
  => md_drives
  => md_personalities
  => memory_info
  => memory_map
  => mounts
  => msr
  => opera_extensions
  => os_version
  => osquery_events
  => osquery_extensions
  => osquery_flags
  => osquery_info
  => osquery_packs
  => osquery_registry
  => osquery_schedule
  => pci_devices
  => platform_info
  => portage_keywords
  => portage_packages
  => portage_use
  => process_envs
  => process_events
  => process_memory_map
  => process_open_files
  => process_open_sockets
  => processes
  => prometheus_metrics
  => python_packages
  => routes
  => rpm_package_files
  => rpm_packages
  => shadow
  => shared_memory
  => shell_history
  => smbios_tables
  => socket_events
  => startup_items
  => sudoers
  => suid_bin
  => syslog_events
  => system_controls
  => system_info
  => time
  => uptime
  => usb_devices
  => user_events
  => user_groups
  => user_ssh_keys
  => users
  => yara
  => yara_events

c.  查看表schema

.schema table_name 
比如:
.schema users

.schema users
CREATE TABLE users(`uid` BIGINT, `gid` BIGINT, `uid_signed` BIGINT, `gid_signed` BIGINT, `username` TEXT, `description` TEXT, `directory` TEXT, `shell` TEXT, `uuid` TEXT, `type` TEXT HIDDEN, PRIMARY KEY (`uid`, `username`)) WITHOUT ROWID;

備注:就是寫sql,實際需要的就是查詢對應表的數據,很強很大,同時基本主流操作系統都支持
 
3. 幾個小技巧 
修改模式
.mode line 類似mysql  \G
.table  系統表
.schema  表結構
 
 
4. 參考資料 
https://osquery.io/
 


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 nexus 3.17.0 簡單試用 WebView2簡單試用(一)—— 開始 WebView2簡單試用(七)—— WebMessage Linux下的sqlserver簡單試用 perf-tools 簡單試用 jQuery無刷新上傳之uploadify簡單試用 vlang 0.2 試用&&火焰圖簡單查看 達夢7的試用 與SQLSERVER的簡單技術對比 karma prometheus alertmanager dashboard簡單試用 Appium簡單測試用例
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM