Skip to content

Cannot start process from path: /usr/local/bin/osqueryd #90

New issue
New issue
Open
Open
Cannot start process from path: /usr/local/bin/osqueryd#90
@pathikrit

Description

@pathikrit
pathikrit
opened on Apr 17, 2023

I installed osquery using:

$ brew install osquery

Verified it works:

$ osqueryi
Using a virtual database. Need help, type '.help'
osquery> select timestamp from time;
+------------------------------+
| timestamp                    |
+------------------------------+
| Mon Apr 17 15:36:50 2023 UTC |
+------------------------------+

Copied the code from README:

import osquery

if __name__ == "__main__":
    instance = osquery.SpawnInstance()
    instance.open()
    instance.client.query("select timestamp from time;")

When I ran above code, I get this error:

Traceback (most recent call last):
  File "main.py", line 5, in <module>
    instance.open()
  File "./venv/lib/python3.8/site-packages/osquery/management.py", line 137, in open
    raise Exception("Cannot start process from path: %s" % (self.path))
Exception: Cannot start process from path: /usr/local/bin/osqueryd

I then noticed that osqueryi is simply a symlink to osqueryd which the above is looking for:

$ ls -a /usr/local/bin/osqueryi
lrwxr-xr-x 52 root 17 Apr 11:20 /usr/local/bin/osqueryi -> /opt/osquery/lib/osquery.app/Contents/MacOS/osqueryd

So I tried this:

import osquery

if __name__ == "__main__":
    instance = osquery.SpawnInstance("/usr/local/bin/osqueryi")
    instance.open()
    instance.client.query("select timestamp from time;")

But, now I get different error:

Traceback (most recent call last):
  File "./main.py", line 6, in <module>
    instance.client.query("select timestamp from time;")
  File "./venv/lib/python3.8/site-packages/osquery/extensions/ExtensionManager.py", line 181, in query
    self.send_query(sql)
  File "./venv/lib/python3.8/site-packages/osquery/extensions/ExtensionManager.py", line 190, in send_query
    self._oprot.trans.flush()
  File "./venv/lib/python3.8/site-packages/thrift/transport/TTransport.py", line 179, in flush
    self.__trans.write(out)
  File "./venv/lib/python3.8/site-packages/thrift/transport/TSocket.py", line 172, in write
    raise TTransportException(type=TTransportException.NOT_OPEN,
thrift.transport.TTransport.TTransportException: Transport not open

What am I doing wrong? Why is running code from the README doesn't work??

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions