osquery-python icon indicating copy to clipboard operation
osquery-python copied to clipboard
verified publisher icon osquery

Cannot start process from path: /usr/local/bin/osqueryd

Open pathikrit opened this issue 2 years ago • 0 comments

I installed osquery using:

$ brew install osquery

Verified it works:

$ osqueryi
Using a virtual database. Need help, type '.help'
osquery> select timestamp from time;
+------------------------------+
| timestamp                    |
+------------------------------+
| Mon Apr 17 15:36:50 2023 UTC |
+------------------------------+

Copied the code from README:

import osquery

if __name__ == "__main__":
    instance = osquery.SpawnInstance()
    instance.open()
    instance.client.query("select timestamp from time;")

When I ran above code, I get this error:

Traceback (most recent call last):
  File "main.py", line 5, in <module>
    instance.open()
  File "./venv/lib/python3.8/site-packages/osquery/management.py", line 137, in open
    raise Exception("Cannot start process from path: %s" % (self.path))
Exception: Cannot start process from path: /usr/local/bin/osqueryd

I then noticed that osqueryi is simply a symlink to osqueryd which the above is looking for:

$ ls -a /usr/local/bin/osqueryi
lrwxr-xr-x 52 root 17 Apr 11:20 /usr/local/bin/osqueryi -> /opt/osquery/lib/osquery.app/Contents/MacOS/osqueryd

So I tried this:

import osquery

if __name__ == "__main__":
    instance = osquery.SpawnInstance("/usr/local/bin/osqueryi")
    instance.open()
    instance.client.query("select timestamp from time;")

But, now I get different error:

Traceback (most recent call last):
  File "./main.py", line 6, in <module>
    instance.client.query("select timestamp from time;")
  File "./venv/lib/python3.8/site-packages/osquery/extensions/ExtensionManager.py", line 181, in query
    self.send_query(sql)
  File "./venv/lib/python3.8/site-packages/osquery/extensions/ExtensionManager.py", line 190, in send_query
    self._oprot.trans.flush()
  File "./venv/lib/python3.8/site-packages/thrift/transport/TTransport.py", line 179, in flush
    self.__trans.write(out)
  File "./venv/lib/python3.8/site-packages/thrift/transport/TSocket.py", line 172, in write
    raise TTransportException(type=TTransportException.NOT_OPEN,
thrift.transport.TTransport.TTransportException: Transport not open

What am I doing wrong? Why is running code from the README doesn't work??

pathikrit avatar Apr 17 '23 15:04 pathikrit