osquery turns your machines and endpoints into a queryable SQL database. For example, you can SELECT * FROM USERS or SELECT * FROM PROCESSES WHERE on_disk=0
Typically this is used for security usecases to check that endpoints meet certain criteria. Or put another way, to ensure they don’t meet certain criteria (like having processes running only in RAM - a strong indicator of compromise).
That’s all great, but as an Observability practitioner, I work in Observability tools and so I was wondering how to get that data into the tooling I use.
I’m happy to say that it’s possible, using the OpenTelemetry collector!