https://github.com/linux-china/osquery-spring-boot-starter

Spring Boot Starter for osquery
https://github.com/linux-china/osquery-spring-boot-starter

duckdb osquery spring-boot spring-boot-starter

Last synced: 2 months ago
JSON representation

Spring Boot Starter for osquery

• Host: GitHub
• URL: https://github.com/linux-china/osquery-spring-boot-starter
• Owner: linux-china
• License: apache-2.0
• Created: 2017-10-14T02:53:47.000Z (over 8 years ago)
• Default Branch: master
• Last Pushed: 2025-06-04T04:26:15.000Z (about 1 year ago)
• Last Synced: 2026-02-08T23:47:57.806Z (5 months ago)
• Topics: duckdb, osquery, spring-boot, spring-boot-starter
• Language: Java
• Homepage:
• Size: 52.7 KB
• Stars: 0
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE.txt

Awesome Lists containing this project

README

          
Spring Boot Starter osquery

===========================

Integrate osquery in Spring Boot 2/3.x to query system information.

Why Spring Boot starter for osquery?

- osquery is a powerful tool to query system information

- Query system information by REST API through Spring Boot Actuator endpoints

- You can use DuckDB, DataFusion to aggregate data from multi instances and store the data in S3/MinIO etc.

# Get Started

- Install osquery from https://github.com/osquery/osquery/releases

- Add dependency in your `pom.xml`:

```xml

  org.mvnsearch

  osquery-spring-boot-starter

  0.1.0

```

- Adjust `application.properties` to set management configuration

```

### management

management.server.port=8888

management.endpoints.web.exposure.include=*

management.endpoint.health.show-components=always

management.endpoint.health.show-details=always

### set osqueryi path if not in PATH

#osqueryi.path=/usr/local/bin/osqueryi

```

- Start your Spring Boot application and access the osquery endpoints

# Endpoints

* `/actuator/osquery`: list osquery info and table names

* `/actuator/osquery/{tableName}`: output table content

* `/actuator/osquery/{tableName}(col1,col2,col3)`: output table content with columns

**Note**: By default, the output is in CSV format. If you want to output in JSON format,

you can add format query string, such as `/actuator/osquery/etc_hosts?format=json`.

Examples:

```

### osquery

GET http://localhost:8888/actuator/osquery

### osquery schema

GET http://localhost:8888/actuator/osquery/etc_hosts

### osquery schema with columns

GET http://localhost:8888/actuator/osquery/etc_hosts(address,hostnames)

### osquery for load average

GET http://localhost:8888/actuator/osquery/load_average

```

# DuckDB friendly

Query load average:

```shell

$ duckdb -c "SELECT * FROM read_csv('http://localhost:8888/actuator/osquery/load_average')"

$ duckdb -c "SELECT * FROM 'http://localhost:8888/actuator/osquery/load_average.csv'"

```

Query processes:

 ```shell

$ duckdb -c "SELECT * FROM read_csv('http://localhost:8888/actuator/osquery/processes') where name like '%java%'"

```

# References

* osquery schema: https://osquery.io/schema/

* DuckDB: https://duckdb.org/