I am new to osquery. I want to fetch real-time OS information using osquery (from these two tables: process_events and file_events). I understood that we could retrieve this information using osquery in daemon mode. I was even able to do the same.
My question now is, "How do I do the same thing in Golang?"
I do not want to create an extension. Simply, I want to start the osquery daemon and fetch information and store it.
To clarify something... Osquery gathers events from various APIs. Depending on the OS and version, those events might come from any of Auditd, BPF, OpenBSM, EndpointSecurity, ETW... To do the same thing with golang, you'd need to implement something that talks to those APIs.
But, I think the more interesting part of your question is how do you leverage osquery to get that data into something else, ideally with golang. There are (at least) 3 routes to pursue.
First, if you're doing this across a fleet on nodes, it is common to run osquery as an agent talking to a remote TLS server. The remote TLS server is responsible for distributing configuration and collecting logs. This is a common scenario, and there are both commercial and OSS tools in this space.
Second, if you're working locally, you can query a running osquery over the thrift socket. This is same interface the extensions would use, but it is not an extension. In the go SDK this is exposed as
ExtensionManagerClientThird, also local, you can have osquery run scheduled queries and log to a local file. Osquery filesystem logging is in json, and this could be ingested.
Generally speaking, I'd recommend towards the first or second approach.
Note that to use the events tables, osquery has to be running as a daemon, so you'll need to either have it running on it's own, or otherwise manage it as a persistent process.