Kolide Launcher for Osquery

Streamline Your Osquery Deployment

Built for Kolide,
100% Open Source

Launcher is the result of hard-won experience, building products and supporting organizations, making long term investments in the Osquery ecosystem.

Osquery possesses an incredible range of features and utility but getting it up and running across your fleet can be a daunting task. That's why we built Kolide Launcher, an open-source project aimed to remove the hurdles of installing, updating and using osquery at scale.

Wait, what is osquery?

Key Osquery Improvements

  • Osquery white circle

    Always Up to Date

    Take advantage of emerging osquery capabilities faster with Kolide Launcher's auto-updater. Using The Update Framework (TUF) you can securely update osquery with ease.

    Learn More
  • Download fleet package

    Easy Packaging & Deployment

    Deploying osquery and configuring it to communicate with a management server can be complicated. The Launcher includes a tool to help create Launcher packages for your organization.

    Learn More
  • Grpc white circle

    gRPC Remote API

    The Launcher includes a set of gRPC plugins for remote communication with a gRPC server. An implementation of the gRPC server is included with the Kolide Fleet osquery fleet manager.

    Learn More

Did we mention extra tables?

Osquery lets you to ask a lot of great questions, but what are the right questions? Kolide Launcher includes opinionated tables which aggregate useful information to solve real use-cases across your organization.

  • Vulnerabilities

    Discover whether a machine is susceptible to recently published exploits and vulnerabilities.

  • macOS Spotlight Quicklook

    Leverage the power of macOS's native indexing to search for arbitrary file information and metadata across your device.

  • User - Device Correlation

    Enumerate email addresses and other user artifacts to easily determine device ownership and usage.

  • Best Practices

    Check the compliance status of important security practices recommended by OS vendors and infosec professionals.

  • > SELECT * FROM kolide_best_practices ;gatekeeper_enabled sip_enabled filevault_enabled screensaver_password_enabled remote_apple_events_disabled internet_sharing_disabledTRUE TRUE FALSE TRUE TRUE TRUE

Reduced Config Surface

The osqueryd binary was designed to be very configurable, which allows it to be used in very different environments. The Launcher wraps osqueryd configuration and exposes very high-level options that allow you to easily connect osquery to a server that is compliant with the gRPC specification (such as Kolide Fleet).

View the Code
osqueryd --help$ osqueryd --help osquery 2.9.0, your OS as a high-performance relational database Usage: osqueryd [OPTION]... osquery command line flags: --flagfile PATH Line-delimited file of additional flags --D Run as a daemon process --S Run as a shell process --alarm_timeout VALUE Seconds to wait for a graceful shutdown --carver_block_size VALUE Size of blocks used for POSTing data back to remote endpoints --carver_compression Compress archives using zstd prior to upload (default false) --carver_continue_endpoint VALUE TLS/HTTPS endpoint that receives carved content after session creation --carver_disable_function Disable the osquery file carver function (default true) --carver_start_endpoint VALUE TLS/HTTPS init endpoint for forensic carver --config_accelerated_refresh VALUE Interval to wait if reading a configuration fails --config_check Check the format of an osquery config and exit --config_dump Dump the contents of the configuration --config_path VALUE Path to JSON config file --config_plugin VALUE Config plugin name --config_refresh VALUE Optional interval in seconds to re-read configuration --config_tls_endpoint VALUE TLS/HTTPS endpoint for config retrieval --config_tls_max_attempts VALUE Number of attempts to retry a TLS config/enroll request --daemonize Attempt to daemonize (POSIX only) --database_dump Dump the contents of the backing store --database_path VALUE If using a disk-based backing store, specify a path --disable_carver Disable the osquery file carver (default true) --disable_enrollment Disable enrollment functions on related config/ logger plugins --disable_extensions Disable extension API --disable_reenrollment Disable re-enrollment attempts if related plugins return invalid --disable_watchdog Disable userland watchdog process --enroll_always On startup, send a new enrollment request --enroll_secret_env VALUE Name of environment variable holding enrollment- auth secret --enroll_secret_path VALUE Path to an optional client enrollment-auth secret --enroll_tls_endpoint VALUE TLS/HTTPS endpoint for client enrollment --extensions_autoload VALUE Optional path to a list of autoloaded & managed extensions --extensions_interval VALUE Seconds delay between connectivity checks --extensions_require VALUE Comma-separated list of required extensions --extensions_socket VALUE Path to the extensions UNIX domain socket --extensions_timeout VALUE Seconds to wait for autoloaded extensions --force Force osqueryd to kill previously-running daemons --install Install osqueryd as a service --logtostderr Log messages to stderr in addition to the logger plugin(s) --pidfile VALUE Path to the daemon pidfile mutex --stderrthreshold VALUE Stderr log level threshold --tls_client_cert VALUE Optional path to a TLS client-auth PEM certificate --tls_client_key VALUE Optional path to a TLS client-auth PEM private key --tls_hostname VALUE TLS/HTTPS hostname for Config, Logger, and Enroll plugins --tls_server_certs VALUE Optional path to a TLS server PEM certificate(s) bundle --uninstall Uninstall osqueryd as a service --watchdog_delay VALUE Initial delay in seconds before watchdog starts --watchdog_level VALUE Performance limit level (0=normal, 1=restrictive, -1=off) --watchdog_memory_limit VALUE Override watchdog profile memory limit (e.g., 300, for 300MB) --watchdog_utilization_limit VALUE Override watchdog profile CPU utilization limit osquery configuration options (set by config or CLI flags): --augeas_lenses VALUE Directory that contains augeas lenses files --aws_access_key_id VALUE AWS access key ID --aws_firehose_period VALUE Seconds between flushing logs to Firehose (default 10) --aws_firehose_stream VALUE Name of Firehose stream for logging --aws_kinesis_period VALUE Seconds between flushing logs to Kinesis (default 10) --aws_kinesis_random_partition_key Enable random kinesis partition keys --aws_kinesis_stream VALUE Name of Kinesis stream for logging --aws_profile_name VALUE AWS profile for authentication and region configuration --aws_region VALUE AWS region --aws_secret_access_key VALUE AWS secret access key --aws_sts_arn_role VALUE AWS STS ARN role --aws_sts_region VALUE AWS STS region --aws_sts_session_name VALUE AWS STS session name --aws_sts_timeout VALUE AWS STS assume role credential validity in seconds (default 3600) --buffered_log_max VALUE Maximum number of logs in buffered output plugins (0 = unlimited) --decorations_top_level Add decorators as top level JSON objects --disable_audit Disable receiving events from the audit subsystem --disable_caching Disable scheduled query caching --disable_database Disable the persistent RocksDB storage --disable_decorators Disable log result decoration --disable_distributed Disable distributed queries (default true) --disable_events Disable osquery publish/subscribe system --disable_logging Disable ERROR/INFO logging --disable_tables VALUE Comma-delimited list of table names to be disabled --distributed_interval VALUE Seconds between polling for new queries (default 60) --distributed_plugin VALUE Distributed plugin name --distributed_tls_max_attempts VALUE Number of times to attempt a request --distributed_tls_read_endpoint VALUE TLS/HTTPS endpoint for distributed query retrieval --distributed_tls_write_endpoint VALUE TLS/HTTPS endpoint for distributed query results --docker_socket VALUE Docker UNIX domain socket path --enable_foreign Enable no-op foreign virtual tables --ephemeral Skip pidfile and database state checks --events_expiry VALUE Timeout to expire event subscriber results --events_max VALUE Maximum number of events per type to buffer --events_optimize Optimize subscriber select queries (scheduler only) --host_identifier VALUE Field used to identify the host running osquery (hostname, uuid, instance, ephemeral, specified) --logger_event_type Log scheduled results as events --logger_kafka_acks VALUE The number of acknowledgments the leader has to receive (0, 1, 'all') --logger_kafka_brokers VALUE Bootstrap broker(s) as a comma-separated list of host or host:port (default port 9092) --logger_kafka_topic VALUE Kafka topic to publish logs under --logger_min_status VALUE Minimum level for status log recording --logger_mode VALUE Decimal mode for log files (default '0640') --logger_path VALUE Directory path for ERROR/WARN/INFO and results logging --logger_plugin VALUE Logger plugin name --logger_secondary_status_only Only send status logs to secondary logger plugins --logger_tls_compress GZip compress TLS/HTTPS request body --logger_tls_endpoint VALUE TLS/HTTPS endpoint for results logging --logger_tls_max VALUE Max size in bytes allowed per log line --logger_tls_period VALUE Seconds between flushing logs over TLS/HTTPS --nullvalue VALUE Set string for NULL values, default '' --pack_delimiter VALUE Delimiter for pack and query names --pack_refresh_interval VALUE Cache expiration for a packs discovery queries --read_max VALUE Maximum file read size --schedule_default_interval VALUE Query interval to use if none is provided --schedule_epoch VALUE Epoch for scheduled queries --schedule_reload VALUE Interval in seconds to reload database arenas --schedule_splay_percent VALUE Percent to splay config times --schedule_timeout VALUE Limit the schedule, 0 for no limit --specified_identifier VALUE Field used to specify the host_identifier when set to "specified" --table_delay VALUE Add an optional microsecond delay between table scans --utc Convert all UNIX times to UTC --value_max VALUE Maximum returned row value size --verbose Enable verbose informational messages --worker_threads VALUE Number of work dispatch threads osquery project page <https://osquery.io>. launcher --help$ launcher --help The Osquery Launcher, by Kolide (version 1.0.0) Usage: launcher --option=value Options: --hostname The hostname of the gRPC server --enroll_secret The enroll secret that is used in your environment --enroll_secret_path Optionally, the path to your enrollment secret --root_directory The location of the local database, pidfiles, etc. --osqueryd_path Path to the osqueryd binary to use (Default: find osqueryd in $PATH) --autoupdate Whether or not the osquery autoupdater is enabled (default: false) --version Print Launcher version and exit All options can be set as environment variables using the following convention: KOLIDE_LAUNCHER_OPTION=value launcher --dev_help Print full Launcher help, including developer options For more information, check out https://kolide.com/osquery