I have a task to write a python program to retrive file and process information using osquery while program is running and we perform any operation on file at background. I have written the below code but it does'nt show any output.
import osquery
instance= osquery.SpawnInstance()
instance.open()
while True:
results = instance.client.query("SELECT fe.action,fe.md5,p.gid,p.name,pe.mode FROM processes p JOIN process_events pe ON p.pid = pe.pid join file_events fe on pe.path=fe.target_path where fe.action='open' OR 'update' OR 'rename' OR 'remove' OR 'close' OR 'read' OR 'write';")
if results.response:
print(results.response)
instance.connection=None
If you are querying evented tables, you need to connect with the osquery's daemon. Try this: https://github.com/osquery/osquery-python#connect-to-an-existing-socket
More info about evented tables: https://osquery.readthedocs.io/en/stable/development/pubsub-framework/