Understanding osquery: SQL-Powered System Monitoring

The Detective Tool for Your Linux System — Meet osquery!

Cyberpunk terminal inspecting a server rack with holographic SQL queries

Introduction

Have you ever wanted to inspect your running processes, open ports, or installed packages using SQL queries? That’s exactly what osquery does — it exposes your operating system as a high-performance relational database, allowing you to query system information like a developer.

In this blog, I’ll explain what osquery is, why it’s useful, and how to install and use it — including a Nix-based installation method for Linux systems.

What is osquery?

Developed by Facebook (now Meta), osquery is an open-source tool that lets you:

• Query system data (processes, users, network connections, etc.) using SQL
• Monitor changes in real-time (like a continuous ps, netstat, or lsof)
• Enforce security policies (detect malware, unauthorized software, suspicious activity)

Instead of running ps aux or netstat -tulpn, you can write:

SELECT * FROM processes WHERE name = 'sshd';

Or check open listening ports:

SELECT * FROM listening_ports WHERE port = 22;

Installing osquery with Nix