$ sudo osqueryd --help
Password:
osquery 3.3.2.45-Uptycs, your OS as a high-performance relational database
Usage: osqueryd [OPTION]...
osquery command line flags:
| --flagfile PATH | Line-delimited file of additional flags |
| --D | Run as a daemon process |
| --S | Run as a shell process |
| --alarm_timeout VALUE | Seconds to wait for a graceful shutdown |
| --carver_block_size VALUE | Size of blocks used for POSTing data back to remote endpoints |
| --carver_compression | Compress archives using zstd prior to upload (default false) |
| --carver_continue_endpoint VALUE | TLS/HTTPS endpoint that receives carved content after session creation |
| --carver_disable_function | Disable the osquery file carver function (default true) |
| --carver_start_endpoint VALUE | TLS/HTTPS init endpoint for forensic carver |
| --clean_database | Clear confgured database path |
| --config_accelerated_refresh VALUE | Interval to wait if reading a configuration fails |
| --config_check | Check the format of an osquery config and exit |
| --config_dump | Dump the contents of the configuration |
| --config_enable_backup | Backup config and use it when refresh fails |
| --config_path VALUE | Path to JSON config file |
| --config_plugin VALUE | Config plugin name |
| --config_refresh VALUE | Optional interval in seconds to re-read configuration |
| --config_tls_endpoint VALUE | TLS/HTTPS endpoint for config retrieval |
| --config_tls_max_attempts VALUE | Number of attempts to retry a TLS config/enroll request |
| --daemonize | Attempt to daemonize (POSIX only) |
| --database_dump | Dump the contents of the backing store |
| --database_path VALUE | If using a disk-based backing store, specify a path |
| --disable_auto_memory | Disable auto memory calculation and give precedence to what is set in --watchdog_memory_limit flag. |
| --disable_carver | Disable the osquery file carver (default true) |
| --disable_diag_events | enable/disable diagnostic event collection, default = true |
| --disable_diag_forwarding | enable/disable diagnostic event forwarding, default = true |
| --disable_enrollment | Disable enrollment functions on related config/logger plugins |
| --disable_extensions | Disable extension API |
| --disable_reenrollment | Disable re-enrollment attempts if related plugins return invalid |
| --disable_watchdog | Disable userland watchdog process |
| --enable_extensions_watchdog | Enable userland watchdog for extensions processes |
| --enable_proxy_auto_discovery | Whether to discover proxy-enabled route to tls- cloud automatically |
| --enroll_always | On startup, send a new enrollment request |
| --enroll_secret_env VALUE | Name of environment variable holding enrollment-auth secret |
| --enroll_secret_path VALUE | Path to an optional client enrollment-auth secret |
| --enroll_tls_endpoint VALUE | TLS/HTTPS endpoint for client enrollment |
| --extensions_autoload VALUE | Optional path to a list of autoloaded & managed extensions |
| --extensions_interval VALUE | Seconds delay between connectivity checks |
| --extensions_require VALUE | Comma-separated list of required extensions |
| --extensions_socket VALUE | Path to the extensions UNIX domain socket |
| --extensions_timeout VALUE | Seconds to wait for autoloaded extensions |
| --force | Force osqueryd to kill previously-running daemons |
| --install | Install osqueryd as a service |
| --killswitch_tls_endpoint VALUE | TLS/HTTPS endpoint for killswitch config retrieval |
| --killswitch_tls_max_attempts VALUE | Number of attempts to retry a TLS killswitch config request |
| --logger_stderr | Write status logs to stderr |
| --logtostderr | Log messages to stderr in addition to the logger plugin(s) |
| --max_descriptors_limit VALUE | Maximum number of cimultaneously open files |
| --max_heartbeat_delay VALUE | Maximum time in seconds for which a heartbeat from various osquery threads is not heard |
| --pidfile VALUE | Path to the daemon pidfile mutex |
| --proxy_auto_discovery_order VALUE | Order in which proxy discovery is attempted. |
| --proxy_hostname VALUE | Comma seperated list of proxy servers to select from |
| --purge_fast_buffered_records | Purge all the records at the start |
| --stderrthreshold VALUE | Stderr log level threshold |
| --tls_client_cert VALUE | Optional path to a TLS client-auth PEM certificate |
| --tls_client_key VALUE | Optional path to a TLS client-auth PEM private key |
| --tls_hostname VALUE | TLS/HTTPS hostname for Config, Logger, and Enroll plugins |
| --tls_server_certs VALUE | Optional path to a TLS server PEM certificate(s) bundle |
| --tls_session_reuse | Reuse TLS session sockets |
| --tls_session_timeout VALUE | TLS session keep alive timeout in seconds |
| --uninstall | Uninstall osqueryd as a service |
| --watchdog_above_sixteen_alloc_vm VALUE | This flag is for the allocated memory above 16 GB, by default it is 32 MB. |
| --watchdog_base_alloc_vm VALUE | This flag is for the allocated VM for base memory, by defauld it is for 2GB ==> 400 MB. |
| --watchdog_base_memory VALUE | This is a base memory, on which the base vm allocation would be applied, by default it is 2 GB. |
| --watchdog_below_sixteen_alloc_vm VALUE | This flag is for the allocated VM above 2 GB and below 16 GB, by default it is 80 MB |
| --watchdog_db_check_interval VALUE | Rocks db limit check interval |
| --watchdog_db_limit VALUE | Override watchdog rocks db limit (e.g., 1024, for 1024MB) |
| --watchdog_delay VALUE | Initial delay in seconds before watchdog starts |
| --watchdog_diag_queue_size VALUE | Maximum persistent diag event accumulated when enroll fails/network issue. |
| --watchdog_diag_sender_interval VALUE | Diagnostic event sender interval |
| --watchdog_level VALUE | Performance limit level (0=normal, 1=restrictive, -1=off) |
| --watchdog_memory_limit VALUE | Override watchdog profile memory limit (e.g., 300, for 300MB) |
| --watchdog_utilization_limit VALUE | Override watchdog profile CPU utilization limit |
| --audit_allow_fim_events | Allow the audit publisher to enable file event |
| --audit_allow_process_events | Allow the audit publisher to enable process event |
| --audit_allow_sockets | Allow the audit publisher to enable socket events |
| --audit_allow_user_events | Allow the audit publisher to enable user events |
| --audit_events_rate VALUE | Controlling the max rate of audit events processed by osquery. Default is 0, no restriction |
| --augeas_lenses VALUE | Directory that contains augeas lenses files |
| --auto_flags_update | Enables automatic flag updtaes via config |
| --aws_access_key_id VALUE | AWS access key ID |
| --aws_enable_proxy | Enable proxying of HTTP/HTTPS requests in AWS client config |
| --aws_firehose_period VALUE | Seconds between flushing logs to Firehose (default 10) |
| --aws_firehose_stream VALUE | Name of Firehose stream for logging |
| --aws_kinesis_period VALUE | Seconds between flushing logs to Kinesis (default 10) |
| --aws_kinesis_random_partition_key | Enable random kinesis partition keys |
| --aws_kinesis_stream VALUE | Name of Kinesis stream for logging |
| --aws_profile_name VALUE | AWS profile for authentication and region configuration |
| --aws_proxy_host VALUE | Proxy host for use in AWS client config |
| --aws_proxy_password VALUE | Proxy password for use in AWS client config |
| --aws_proxy_port VALUE | Proxy port for use in AWS client config |
| --aws_proxy_scheme VALUE | Proxy HTTP scheme for use in AWS client config (http or https, default https) |
| --aws_proxy_username VALUE | Proxy username for use in AWS client config |
| --aws_region VALUE | AWS region |
| --aws_secret_access_key VALUE | AWS secret access key |
| --aws_sts_arn_role VALUE | AWS STS ARN role |
| --aws_sts_region VALUE | AWS STS region |
| --aws_sts_session_name VALUE | AWS STS session name |
| --aws_sts_timeout VALUE | AWS STS assume role credential validity in seconds (default 3600) |
| --buffered_log_max VALUE | Maximum number of logs in buffered output plugins (0 = unlimited) |
| --decorations_top_level | Add decorators as top level JSON objects |
| --disable_audit | Disable receiving events from the audit subsystem |
| --disable_caching | Disable scheduled query caching |
| --disable_database | Disable the persistent RocksDB storage |
| --disable_decorators | Disable log result decoration |
| --disable_distributed | Disable distributed queries (default true) |
| --disable_events | Disable osquery publish/subscribe system |
| --disable_events_staging | This is an optimization. If set to true, events will be forwarded to logger(s) only, events can not be queried via sql query. |
| --disable_fs_events_based_file_events | Disable fsevents based FIM |
| --disable_hash_cache | Cache calculated file hashes, re-calculate only if inode times change |
| --disable_logging | Disable ERROR/INFO logging |
| --disable_tables VALUE | Comma-delimited list of table names to be disabled |
| --distributed_interval VALUE | Seconds between polling for new queries (default 60) |
| --distributed_plugin VALUE | Distributed plugin name |
| --distributed_tls_max_attempts VALUE | Number of times to attempt a request |
| --distributed_tls_read_endpoint VALUE | TLS/HTTPS endpoint for distributed query retrieval |
| --distributed_tls_write_endpoint VALUE | TLS/HTTPS endpoint for distributed query results |
| --docker_socket VALUE | Docker UNIX domain socket path |
| --enable_dns_lookups | Enable the DNS lookups capture event publisher |
| --enable_foreign | Enable no-op foreign virtual tables |
| --enable_http_lookups | Enable the HTTP capture event publisher |
| --enable_keyboard_events | Enable listening for keyboard events |
| --enable_killswitch | Enable killswitch plugin |
| --enable_mouse_events | Enable listening for mouse events |
| --enable_numeric_monitoring | Enable numeric monitoring system |
| --ephemeral | Skip pidfile and database state checks |
| --events_expiry VALUE | Timeout to expire event subscriber results |
| --events_max VALUE | Maximum number of events per type to buffer |
| --events_optimize | Optimize subscriber select queries (scheduler only) |
| --exclude_dnslookup_urls VALUE | Comma-separated list of urls to be excluded in dns_lookup_events table. |
| --generate_process_hash_in_process_event | Report process image file hash with process events. Uses cache |
| --generate_record_hash | Allow unique id calculation to distinguish same added/removed events. |
| --hash_cache_max VALUE | Size of LRU file hash cache |
| --host_identifier VALUE | Field used to identify the host running osquery (hostname, uuid, instance, ephemeral, specified) |
| --include_http_headers VALUE | Comma-separated list of headers to be included in http_events table |
| --killswitch_config_path VALUE | Path to JSON killswitch config file |
| --killswitch_plugin VALUE | Killswitch plugin name. |
| --killswitch_refresh_rate VALUE | Refresh rate of killswitch in seconds |
| --logger_event_type | Log scheduled results as events |
| --logger_kafka_acks VALUE | The number of acknowledgments the leader has to receive (0, 1, 'all') |
| --logger_kafka_brokers VALUE | Bootstrap broker(s) as a comma-separated list of host or host:port (default port 9092) |
| --logger_kafka_compression VALUE | Compression codec to use for compressing message sets ('none' or 'gzip') |
| --logger_kafka_topic VALUE | Kafka topic to publish logs under |
| --logger_min_status VALUE | Minimum level for status log recording |
| --logger_min_stderr VALUE | Minimum level for statuses written to stderr |
| --logger_mode VALUE | Decimal mode for log files (default '0640') |
| --logger_path VALUE | Directory path for ERROR/WARN/INFO and results logging |
| --logger_plugin VALUE | Logger plugin name |
| --logger_secondary_status_only | Only send status logs to secondary logger plugins |
| --logger_snapshot_event_type | Log scheduled snapshot results as events |
| --logger_tls_compress | GZip compress TLS/HTTPS request body |
| --logger_tls_endpoint VALUE | TLS/HTTPS endpoint for results logging |
| --logger_tls_max VALUE | Max size in bytes allowed per log line |
| --logger_tls_period VALUE | Seconds between flushing logs over TLS/HTTPS |
| --max_stderr_log_size VALUE | Maximum size of redirected stderr log file |
| --nullvalue VALUE | Set string for NULL values, default '' |
| --numeric_monitoring_filesystem_path VALUE | File to dump numeric monitoring records one per line. The format of the line is <PATH><TAB><VALUE><TAB><TIMESTAMP>. |
| --numeric_monitoring_plugins VALUE | Comma separated numeric monitoring plugins names |
| --numeric_monitoring_pre_aggregation_time VALUE | Time period in seconds for numeric monitoring pre-aggreagation buffer. |
| --pack_delimiter VALUE | Delimiter for pack and query names |
| --pack_refresh_interval VALUE | Cache expiration for a packs discovery queries |
| --read_max VALUE | Maximum file read size |
| --redirect_stderr | Redirect STD error to status log file |
| --schedule_default_interval VALUE | Query interval to use if none is provided |
| --schedule_epoch VALUE | Epoch for scheduled queries |
| --schedule_max_drift VALUE | Max time drift in seconds. Scheduler tries to compensate the drift until the drift exceed this value. After it the drift will be reseted to zero and the compensation process will start from the beginning. It is needed to avoid the problem of endless compensation (which is CPU greedy) after a long SIGSTOP/SIGCONT pause or something similar. Set it to zero to switch off a drift compensation. Default: 60 |
| --schedule_reload VALUE | Interval in seconds to reload database arenas |
| --schedule_splay_percent VALUE | Percent to splay config times |
| --schedule_timeout VALUE | Limit the schedule, 0 for no limit |
| --software_update | Enables osquery auto-update feature |
| --specified_identifier VALUE | Field used to specify the host_identifier when set to "specified" |
| --table_delay VALUE | Add an optional microsecond delay between table scans |
| --utc | Convert all UNIX times to UTC |
| --value_max VALUE | Maximum returned row value size |
| --verbose | Enable verbose informational messages |
| --worker_threads VALUE | Number of work dispatch threads |