Create a check definition to execute the osquery command on the Agent.

Before you begin

Role required: agent_client_collector_integration or agent_client_collector_admin

Procedure

  1. In an Event Management instance, navigate to Agent Client Collector > Check Definitions.
  2. Click New.
  3. In the Name field, enter util.osquery.
  4. In the Check type field, enter osquery.
  5. In the Command field, enter the following script: 
    osqueryi  --logger_min_status 1 --json "{{.labels.params_query}} "
  6. In the Plugins field, enter the osquery plugin.
  7. In the Parameters section, enter the following values for a check parameter definition.
    ColumnValue
    Name query
    Default value select * from logged_in_users
    Mandatory true
  8. Click Test check and select one of the available agents.
    The test result appears, indicating its success or failure.