fleet/orbit/cmd/fleetd_tables/README.md

Fleet osquery extensions without fleetd

Fleet adds tables in addition to those available in osquery.

If you're deploying plain osquery, the best practice is to build and deploy this fleetd_tables osquery extension each time you upgrade Fleet.

Building the extension

First run (note .ext is required for osquery):

go build -o fleetd_tables.ext fleetd_tables.go

or using the Makefile

make fleetd-tables-linux

Then move it somewhere osqueryd can load it:

sudo cp fleetd_tables.ext /usr/local/osquery_extensions

And tell osqueryd to autoload your extension

echo "/usr/local/osquery_extensions/fleetd_tables.ext" > /tmp/extensions.load

Finally, launch osqueryd

sudo osqueryd --extensions_autoload=/tmp/extensions.load

Local testing

Obtain the extensions_socket

osqueryi --nodisable_extensions
osquery> select value from osquery_flags where name = 'extensions_socket';
+-----------------------------------+
| value                             |
+-----------------------------------+
| /Users/USERNAME/.osquery/shell.em |
+-----------------------------------+

Then run the app

go run ./fleetd_tables.go --socket /Users/USERNAME/.osquery/shell.em

Or you can build the app and have osqueryi load it

go build -o fleetd_tables.ext fleetd_tables.go
osqueryi --extension /path/to/fleetd_tables.ext