If this value is >0 then the watchdog level ( -watchdog_level) for maximum memory is overridden. The watchdog "profiles" can be overridden for Memory and CPU Utilization. It is better to set the level to disabled -1 compared to disabling the watchdog outright as the worker/watcher concept is used for extensions autoloading too. For both there is a linear backoff of 5 seconds, doubling each retry. The restrictive allows for only 4, then the service will be disabled. The normal level allows for 10 restarts if the limits are violated. The level limits are as follows:Memory: default 200M, restrictive 100MCPU: default 25% (for 9 seconds), restrictive 18% (for 9 seconds) The watchdog process uses a "level" to configure performance limits. Performance limit level (0=normal, 1=restrictive, -1=disabled). If any performance limit is violated the "worker" process will be restarted.
osqueryd uses a watchdog process to monitor the memory and CPU utilization of threads executing the query schedule. The file is used to prevent multiple osqueryd processes starting.ĭisable userland watchdog process. If found, and if it contains a pid of a process named "osqueryd", the process will be killed. The daemon will check for an existing "pidfile". Daemon control flagsįorce osqueryd to kill previously-running daemons. To quickly debug the content retrieved by custom config plugins use this in tandem with -config_check.
When osquery starts it performs an initial update from the config plugin. In this case "updated" means applied to the active config. Request that the configuration JSON be printed to standard out before it is updated. osquery will return a non-0 exit if the parsing failed.
This allows plugins like tls to fetch fresh data after having been offline for a while.Ĭheck the format of an osquery config and exit. If a configuration refresh is used ( config_refresh > 0) and the refresh attempt fails, the accelerated refresh will be used. If the configuration endpoint cannot be reached during runtime, the normal retry approach is applied (e.g., the tls config plugin will retry 3 times). If the configuration should be auto-updated set a "refresh" time to a value in seconds greater than 0. By default a configuration is fetched only at osquery load. All files within that optional directory will be read and merged in lexical order.Īn optional configuration refresh interval in seconds. The filesystem config plugin's path to a JSON file.On macOS the default path is /var/osquery/ you want to read from multiple configuration paths create a directory: /etc/osquery//. The type of configuration retrieval, the default filesystem plugin reads a configuration JSON from disk.īuilt-in options include: filesystem, tls NOTICE: Flags in a flagfile should not be wrapped in quotes, shell-macro/variable expansion is not applied! Configuration control flagsĬonfig plugin name. Both the shell and daemon will discover and use the defaults. If no -flagfile is provided, osquery will try to find and use a "default" flagfile at /etc/osquery/. Include line-delimited switches to be interpreted and used as CLI-flags:
On macOS and Linux this -flagfile is the recommended way to add/remove the following CLI-only initialization flags. osquery > SELECT * FROM osquery_flags WHERE default_value value Ī special flag, part of Google Flags, can be used to read additional flags from a line-delimited file.To see the flags that have been updated by your configuration, a flag file, or by the shell try:
osquery > SELECT * FROM osquery_flags.
To see a full list of flags for your osquery version use -help or select from the osquery_flags table: Google Flags enhances this to allow flags to be set within environment variables or via a "master" flag file. Essentially, any flag needed to help osquery determine and discover a configuration must be supplied via command line arguments. Refer to the techniques below for obtaining ground truth and check other components of this Wiki.įlags that do not control startup settings may be included as "options" within configuration. Warning, this list is still not the 'complete set' of flags. Most platform specific flags will control the OS API and library integrations used by osquery.
Expect Linux / macOS / and Windows to include platform specific flags too. The shell contains a few more to help with printing and other helpful one-off modes of operation. Most flags apply to both tools, osqueryi and osqueryd. Understanding how flags work in osquery will help with stability and greatly reduce issue debugging time. These flags are powered by Google Flags and are somewhat complicated. The osquery shell and daemon use optional command line (CLI) flags to controlinitialization, disable/enable features, and select plugins.