For details on how osqueryd schedules queries and loads information from a config, see the configuration deployment guide.

If you would like to use services like scribe or flume, you need to write a C++ function that consumes/handles a string argument.

Example: glog logger

This following is a overly simplified logger plugin that writes results to a glog info line.

  1. #include <osquery/logger.h>
  2. #include <glog/logging.h>
  4. namespace osquery {
  6. class GlogLoggerPlugin : public LoggerPlugin {
  7.  public:
  8.   Status logString(const std::string& message) {
  9.     LOG(INFO) << message;
  10.     return Status(0, "OK");
  11.   }
  13.   virtual ~GlogLoggerPlugin() {}
  14. };
  16. REGISTER(GlogLoggerPlugin, "logger", "glog");
  17. }

Essentially, you are just implementing a logString method. When the daemon identifies a change to a query schedule it will call the active logger plugin's logString method after converting the change details into JSON.

Using the plugin

Add the source to osquery/logger/plugins/CMakeLists.txts and it will be compiled and linked.

Now when starting osqueryd you may use —logger_plugin=name where the name is the string identifier used in REGISTER.