can't able to connect to osquery daemon using python

Question

I am trying to use evented tables of osquery using python but I am getting an exception. How can I use evented tables.

import osquery

if __name__=="__main__":

 instance= osquery.ExtensionClient('\\.\pipe\osquery.em')
 instance.open()
 
 while True:
  client=instance.extension_client()
  results=client.query("SELECT * FROM ntfs_journal_events;")
  if(results.response):
   print(results.response)
   break
 instance.connection=None

The error I am getting is:

Traceback (most recent call last): File "C:\Users\Yash\OneDrive - Incrux Technologies Private Limited\Desktop\Incrux\osquery3.py", line 11, in results=client.query("SELECT * FROM _events;") File "C:\Users\Yash\AppData\Local\Programs\Python\Python310\lib\site-packages\osquery\extensions\ExtensionManager.py", line 181, in query self.send_query(sql) File "C:\Users\Yash\AppData\Local\Programs\Python\Python310\lib\site-packages\osquery\extensions\ExtensionManager.py", line 190, in send_query self._oprot.trans.flush() File "C:\Users\Yash\AppData\Local\Programs\Python\Python310\lib\site-packages\thrift\transport\TTransport.py", line 179, in flush self.__trans.write(out) File "C:\Users\Yash\AppData\Local\Programs\Python\Python310\lib\site-packages\osquery\TPipe.py", line 126, in write raise TTransportException( thrift.transport.TTransport.TTransportException: Called read on non-open pipe

Answer 1

Called read on non-open pipe sounds like osquery isn't listening on that pipe. Is osquery running? Are you sure that's the socket path?