I have a newbie question about creating osquery extensions using osquery-python. I Created a small extension that gets some additional RPM info from my linux system. Following the instructions in the docs, I added the path to the extension in /etc/osquery/extensions.load to get it to autoload. I restarted osqueryd and I see the extension running using ps ax.
If I interactively run osqueryi, I can see the table and get data. It all works perfectly.
However, when I run an osqueryi command 'one-liner' such as :
osqueryi .tablesI get a bunch of the following errors with my output:
#INFO:thrift.transport.TSocket:Could not connect to /root/.osquery/shell.em
Traceback (most recent call last):
File "build/bdist.linux-x86_64/egg/thrift/transport/TSocket.py", line 104, in open
handle.connect(sockaddr)
File "/usr/lib64/python2.7/socket.py", line 224, in meth
return getattr(self._sock,name)(*args)
error: [Errno 2] No such file or directory
ERROR:thrift.transport.TSocket:Could not connect to any of ['/root/.osquery/shell.em']
What have I done wrong?
Extensions are run in a separate process. You can see the socket errors, which indicate the extension process cannot communicate with osquery process. Make sure osqueryd or osqueryi is running. Link: osquery doc page for extensions.