- Kibana Guide: other versions:
- What is Kibana?
- What’s new in 8.17
- Kibana concepts
- Quick start
- Set up
- Install Kibana
- Configure Kibana
- AI Assistant settings
- Alerting and action settings
- APM settings
- Banners settings
- Cases settings
- Enterprise Search settings
- Fleet settings
- i18n settings
- Logging settings
- Logs settings
- Metrics settings
- Monitoring settings
- Reporting settings
- Search sessions settings
- Secure settings
- Security settings
- Spaces settings
- Task Manager settings
- Telemetry settings
- URL drilldown settings
- Start and stop Kibana
- Access Kibana
- Securing access to Kibana
- Add data
- Upgrade Kibana
- Configure security
- Configure reporting
- Configure logging
- Configure monitoring
- Command line tools
- Production considerations
- Discover
- Dashboards
- Canvas
- Maps
- Build a map to compare metrics by country or region
- Track, visualize, and alert on assets in real time
- Map custom regions with reverse geocoding
- Heat map layer
- Tile layer
- Vector layer
- Plot big data
- Search geographic data
- Configure map settings
- Connect to Elastic Maps Service
- Import geospatial data
- Troubleshoot
- Reporting and sharing
- Machine learning
- Graph
- Alerting
- Observability
- Search
- Security
- Dev Tools
- Fleet
- Osquery
- Stack Monitoring
- Stack Management
- Cases
- Connectors
- Amazon Bedrock
- Cases
- CrowdStrike
- D3 Security
- Google Gemini
- IBM Resilient
- Index
- Jira
- Microsoft Teams
- Observability AI Assistant
- OpenAI
- Opsgenie
- PagerDuty
- SentinelOne
- Server log
- ServiceNow ITSM
- ServiceNow SecOps
- ServiceNow ITOM
- Swimlane
- Slack
- TheHive
- Tines
- Torq
- Webhook
- Webhook - Case Management
- xMatters
- Preconfigured connectors
- License Management
- Maintenance windows
- Manage data views
- Numeral Formatting
- Rollup Jobs
- Manage saved objects
- Security
- Spaces
- Advanced Settings
- Tags
- Upgrade Assistant
- Watcher
- REST API
- Get features API
- Kibana spaces APIs
- Kibana role management APIs
- User session management APIs
- Saved objects APIs
- Data views API
- Index patterns APIs
- Alerting APIs
- Action and connector APIs
- Cases APIs
- Import and export dashboard APIs
- Logstash configuration management APIs
- Machine learning APIs
- Osquery manager API
- Short URLs APIs
- Get Task Manager health
- Upgrade assistant APIs
- Synthetics APIs
- Uptime APIs
- Kibana plugins
- Troubleshooting
- Accessibility
- Release notes
- Upgrade notes
- Kibana 8.17.1
- Kibana 8.17.0
- Kibana 8.16.3
- Kibana 8.16.2
- Kibana 8.16.1
- Kibana 8.16.0
- Kibana 8.15.5
- Kibana 8.15.4
- Kibana 8.15.3
- Kibana 8.15.2
- Kibana 8.15.1
- Kibana 8.15.0
- Kibana 8.14.3
- Kibana 8.14.2
- Kibana 8.14.1
- Kibana 8.14.0
- Kibana 8.13.4
- Kibana 8.13.3
- Kibana 8.13.2
- Kibana 8.13.1
- Kibana 8.13.0
- Kibana 8.12.2
- Kibana 8.12.1
- Kibana 8.12.0
- Kibana 8.11.4
- Kibana 8.11.3
- Kibana 8.11.2
- Kibana 8.11.1
- Kibana 8.11.0
- Kibana 8.10.4
- Kibana 8.10.3
- Kibana 8.10.2
- Kibana 8.10.1
- Kibana 8.10.0
- Kibana 8.9.2
- Kibana 8.9.1
- Kibana 8.9.0
- Kibana 8.8.2
- Kibana 8.8.1
- Kibana 8.8.0
- Kibana 8.7.1
- Kibana 8.7.0
- Kibana 8.6.1
- Kibana 8.6.0
- Kibana 8.5.2
- Kibana 8.5.1
- Kibana 8.5.0
- Kibana 8.4.3
- Kibana 8.4.2
- Kibana 8.4.1
- Kibana 8.4.0
- Kibana 8.3.3
- Kibana 8.3.2
- Kibana 8.3.1
- Kibana 8.3.0
- Kibana 8.2.3
- Kibana 8.2.2
- Kibana 8.2.1
- Kibana 8.2.0
- Kibana 8.1.3
- Kibana 8.1.2
- Kibana 8.1.1
- Kibana 8.1.0
- Kibana 8.0.0
- Kibana 8.0.0-rc2
- Kibana 8.0.0-rc1
- Kibana 8.0.0-beta1
- Kibana 8.0.0-alpha2
- Kibana 8.0.0-alpha1
- Developer guide
Osquery FAQ
editOsquery FAQ
editThis list of frequently asked questions answers common questions about using Osquery in Kibana.
How is Osquery Manager different from Osquery?
editThe Osquery Manager integration brings Osquery capabilities to the Elastic Stack and makes it easier to manage Osquery across a large number of hosts. Most Osquery functionality works the same way in Kibana as it does when you deploy Osquery yourself. However, there are a few differences and known issues, outlined below.
How do I grant Full Disk Access?
editFull Disk Access (FDA) is required to fully query some tables on MacOS. Granting FDA is not yet supported for Osquery Manager. This impacts a small set of tables that access file directories that are restricted due to heightened permissions from Apple, including file, file_events, es_process_events, and any custom tables configured with ATC that require access to these directories. When querying these tables, you won’t get results from the restricted directories.
Why can’t I query the carves table?
editFile carving is not yet supported in the Elastic Stack, and carves table queries do not return results.
Does the Osquery .help
command work in Kibana?
editThe Osquery .help
command
is not available when running live queries in Kibana. Instead, refer to the
Osquery schema for all available tables, fields,
and supported Operating Systems for each.
Can I use Osquery extensions in Kibana?
editOsquery Manager does not currently support Osquery extensions.
Can I do File Integrity Monitoring (FIM)?
editYes, you can set up Osquery FIM using the Advanced configuration option for Osquery Manager (see Customize Osquery configuration). However, Elastic also provides a File Integrity Monitoring integration for Elastic Agent, which might prove to be easier to configure than the current options available for Osquery Manager.
Where can I get help with osquery syntax?
editOsquery uses a superset of SQLite for queries. To get started with osquery SQL, refer to the Osquery documentation. For help with more advanced questions, the Osquery community has an active Slack workspace and GitHub project. You can find links for both at osquery.io.
How often is Osquery updated for Osquery Manager?
editWhen a new version of Osquery is released, it is included in a subsequent Elastic Agent release and applied when the agent is upgraded. After that, when running queries from Osquery Manager in Kibana, the updated Osquery version is used. Refer to the Fleet and Elastic Agent Guide for help with upgrading Fleet-managed Elastic Agents.
To check what Osquery version is installed on an Elastic Agent, you can run
SELECT version FROM osquery_info;
as a live query in Kibana. The version
in the
response is the Osquery version installed on the agent.
On this page
- How is Osquery Manager different from Osquery?
- How do I grant Full Disk Access?
- Why can’t I query the carves table?
- Does the Osquery
.help
command work in Kibana? - Can I use Osquery extensions in Kibana?
- Can I do File Integrity Monitoring (FIM)?
- Where can I get help with osquery syntax?
- How often is Osquery updated for Osquery Manager?