OSQuery alternatives and similar tools
Based on the "Security" category.
Alternatively, view OSQuery alternatives based on common mentions on social networks and blogs.
lynis8.5 1.7 OSQuery VS lynisLynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.
Fail2Ban8.2 7.0 L2 OSQuery VS Fail2BanDaemon to ban hosts that cause multiple authentication errors
Wazuh7.7 9.9 OSQuery VS WazuhWazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.
Blackbox7.6 4.7 OSQuery VS BlackboxSafely store secrets in Git/Mercurial/Subversion
pfSense7.6 9.8 L2 OSQuery VS pfSenseMain repository for pfSense
CrowdSec7.5 8.9 OSQuery VS CrowdSecCrowdSec - the open-source and participative IPS able to analyze visitor behavior & provide an adapted response to all kinds of attacks. It also leverages the crowd power to generate a global CTI database to protect the user network.
OSSEC7.4 0.0 L2 OSQuery VS OSSECOSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
Suricata7.2 9.9 OSQuery VS SuricataSuricata git repository maintained by the OISF
Snort6.0 8.9 L1 OSQuery VS SnortSnort++
autoVPN5.8 0.0 OSQuery VS autoVPNCreate On Demand Disposable OpenVPN Endpoints on AWS.
Kippo5.6 0.0 L4 OSQuery VS KippoKippo - SSH Honeypot
Password Pusher5.2 6.5 OSQuery VS Password Pusher🔐 An application to securely communicate passwords over the web. Passwords automatically expire after a certain number of views and/or time has passed. Track who, what and when.
fwknop4.9 0.0 L3 OSQuery VS fwknopSingle Packet Authorization > Port Knocking
Glastopf4.5 0.0 L5 OSQuery VS GlastopfWeb Application Honeypot
Denyhosts4.5 1.0 L3 OSQuery VS DenyhostsAutomated host blocking from SSH brute force attacks
Pen Test Tools4.4 0.0 L5 OSQuery VS Pen Test ToolsHomebrew Tap - Pen Test Tools
SpamAssassin3.4 4.7 L3 OSQuery VS SpamAssassinRead-only mirror of Apache SpamAssassin. Submit patches to https://bz.apache.org/SpamAssassin/. Do not send pull requests
SOCless2.8 3.2 OSQuery VS SOClessThe SOCless automation framework
Access the most powerful time series database as a service
* Code Quality Rankings and insights are calculated and provided by Lumnify.
They vary from L1 to L5 with "L5" being the highest.
Do you think we are missing an alternative of OSQuery or a related project?
osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. Available for Linux, macOS, and Windows.
Information and resources
- Homepage: osquery.io
- Downloads: osquery.io/downloads
- Documentation: ReadTheDocs
- Stack Overflow: Stack Overflow questions
- Table Schema: osquery.io/schema
- Query Packs: osquery.io/packs
- Slack: Browse the archives or Join the conversation
- Build Status:
- CII Best Practices:
What is osquery?
osquery exposes an operating system as a high-performance relational database. This allows you to write SQL-based queries to explore operating system data. With osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events or file hashes.
SQL tables are implemented via a simple plugin and extensions API. A variety of tables already exist and more are being written: https://osquery.io/schema. To best understand the expressiveness that is afforded to you by osquery, consider the following SQL queries:
SELECT * FROM users;
processes that have a deleted executable:
SELECT * FROM processes WHERE on_disk = 0;
Get the process name, port, and PID, for processes listening on all interfaces:
SELECT DISTINCT processes.name, listening_ports.port, processes.pid FROM listening_ports JOIN processes USING (pid) WHERE listening_ports.address = '0.0.0.0';
Find every macOS LaunchDaemon that launches an executable and keeps it running:
SELECT name, program || program_arguments AS executable FROM launchd WHERE (run_at_load = 1 AND keep_alive = 1) AND (program != '' OR program_arguments != '');
Check for ARP anomalies from the host's perspective:
SELECT address, mac, COUNT(mac) AS mac_count FROM arp_cache GROUP BY mac HAVING count(mac) > 1;
Alternatively, you could also use a SQL sub-query to accomplish the same result:
SELECT address, mac, mac_count FROM (SELECT address, mac, COUNT(mac) AS mac_count FROM arp_cache GROUP BY mac) WHERE mac_count > 1;
These queries can be:
- performed on an ad-hoc basis to explore operating system state using the osqueryi shell
- executed via a scheduler to monitor operating system state across a set of hosts
- launched from custom applications using osquery Thrift APIs
Download & Install
To download the latest stable builds and for repository information and installation instructions visit https://osquery.io/downloads.
We use a simple numbered versioning scheme
X.Y.Z, where X is a major version, Y is a minor, and Z is a patch.
We plan minor releases roughly every two months. These releases are tracked on our Milestones page. A patch release is used when there are unforeseen bugs with our minor release and we need to quickly patch.
A rare 'revision' release might be used if we need to change build configurations.
Major, minor, and patch releases are tagged on GitHub and can be viewed on the Releases page. We open a new Release Checklist issue when we prepare a minor release. If you are interested in the status of a release, please find the corresponding checklist issue, and note that the issue will be marked closed when we are finished the checklist. We consider a release 'in testing' during the period of hosting new downloads on our website and adding them to our hosted repositories. We will mark the release as 'stable' on GitHub when enough testing has occurred, this usually takes two weeks.
Build from source
Building osquery from source is encouraged! Check out our build guide. Also check out our [contributing guide](CONTRIBUTING.md) and join the community on Slack.
By contributing to osquery you agree that your contributions will be licensed as defined on the LICENSE file.
We keep track of security announcements in our tagged version release notes on GitHub. We aggregate these into [SECURITY.md](SECURITY.md) too.
The osquery documentation is available online. Documentation for older releases can be found by version number, as well.
If you're interested in learning more about osquery read the launch blog post for background on the project, visit the users guide.
Development and usage discussion is happening in the osquery Slack, grab an invite here!
*Note that all licence references and agreements mentioned in the OSQuery README section above are relevant to that project's source code only.