Create a check definition to execute the osquery command on the Agent.
Before you begin
Role required: agent_client_collector_integration or agent_client_collector_admin
Procedure
-
In an Event Management instance, navigate to .
-
Click New.
-
In the Name field, enter util.osquery.
-
In the Check type field, enter osquery.
-
In the Command field, enter the following script:
osqueryi --logger_min_status 1 --json "{{.labels.params_query}} "
-
In the Plugins field, enter the osquery plugin.
-
In the Parameters section, enter the following values for a check parameter definition.
| Column | Value |
|---|
| Name |
query |
| Default value |
select * from logged_in_users |
| Mandatory |
true |
-
Click Test check and select one of the available agents.
The test result appears, indicating its success or failure.