[techntoke]

The Linux kernel already has a pretty good API available via file nodes. And there are other lightweight tools to gather and parse information. Not sure I understand the benefits of exposing it through SQL, but I know some people are obsessed with SQL.

[smitty1e]

Normalizing the data without vast sort/sed/awk gymnastics seems the key win.

[brazzledazzle]

My understanding is there’s security and standardization benefits as well. If I’m remembering correctly there was a local keychain credential stealing attack around the time I was first looking at it and they had a plug-in available for detection the same day. While it wasn’t something magical you couldn’t write, test and run on your fleet yourself a central place to deduplicate that sort of work/test cycle and collaborate was compelling.

[beamatronic]

The real power of SQL is joins. But not only might you want to simply query, think about grouping and group functions. For example: say you wanted to know the highest rate of gif file creation per second between two dates, for a certain user. That’s what you could do with a simple sql query.

[aasasd]

Personally I'll be glad if this serves me as a tool to get info from `ps`, `netstat` and similar things without looking through man pages every time I'm doing something other than the handful routine invocations.

Thought of writing such an util myself, actually, though not with SQL.

[rmetzler]

My use case was something like: for all users of the os give me all ssh fingerprints in .ssh/authorized_keys and stuff like that. Mostly for security and compliance.

My other usecase is netstat working different on Linux and macOS, so I alias an osqueryi command on macOS to show me which process opens which port.

[mrits]

Correlating around different API calls is a good use case for SQL