Learn how to install osquery on ubuntu vps!
This article provides a guide describing how to install Osquery on Ubuntu VPS.
Table of Contents
Toggle
* What is Osquery?
* What You’ll Need
* How to Install Osquery on Ubuntu VPS
* Update the system & install helpers
* Add the official Osquery APT repository
* Install Osquery
* Know the file layout (Ubuntu/Debian packages)
* Create a minimal, production-safe config
* (Optional) Flags file for early-boot options
* Enable & start the service
* Try interactive queries
* File Integrity Monitoring (FIM) check
* (Optional) Log to syslog/journald
* (Optional) Enroll with Fleet (central management)
* Hardening & performance tips
* Troubleshooting
* Upgrades & removal
* Quick-install one-liner (optional)
* You’re done!
### What is Osquery?
Osquery is a lightweight, SQL-powered agent that lets you query your Linux system like a database. Need to list running processes, open ports, installed packages, or detect file changes? You can do it all with plain `SELECT` statements and automate them on a schedule.
Below is a production-ready, step-by-step guide tailored for Ubuntu VPS servers.
### What You’ll Need
* An Ubuntu VPS (Ubuntu 20.04/Ubuntu 22.04/Ubuntu 24.04 LTS) with sudo/root access
* Internet connectivity (to fetch packages)
* ~100MB disk space for binaries + logs (more if you log verbosely)
## How to Install Osquery on Ubuntu VPS
To install Osquery on Ubuntu VPS, follow the steps below:
1. ### Update the system & install helpers
sudo apt update
sudo apt -y install curl gpg ca-certificates lsb-release
2. ### Add the official Osquery APT repository
> Why the repo? Ubuntu’s built-in package can lag behind. The official repo ships current, security-patched builds for amd64/arm64.
Create a keyring and source list:
# Import GPG key into a dedicated keyring (no deprecated apt-key)
curl -fsSL https://pkg.osquery.io/deb/pubkey.gpg \
| sudo gpg --dearmor -o /usr/share/keyrings/osquery-archive-keyring.gpg
# Add the repository (auto-detect architecture)
ARCH=$(dpkg --print-architecture)
echo "deb [arch=${ARCH} signed-by=/usr/share/keyrings/osquery-archive-keyring.gpg] https://pkg.osquery.io/deb deb main" \
| sudo tee /etc/apt/sources.list.d/osquery.list
sudo apt update
3. ### Install Osquery
sudo apt -y install osquery
Verify:
osqueryi --version
# osqueryi version x.y.z
4. ### Know the file layout (Ubuntu/Debian packages)
* Binaries:
* Interactive shell: `/usr/bin/osqueryi`
* Daemon (service): `/usr/bin/osqueryd`
* Config directory: `/etc/osquery/`
* Default config file: `/etc/osquery/osquery.conf` (you create it)
* Optional flags file: `/etc/osquery/osquery.flags`
* Packs (ready-made queries): `/usr/share/osquery/packs/`
* State/DB: `/var/osquery/`
* Logs: `/var/log/osquery/`
* Systemd unit: `osqueryd.service`
5. ### Create a minimal, production-safe config
Create `/etc/osquery/osquery.conf`:
sudo tee /etc/osquery/osquery.conf >/dev/null <<'JSON'
{
"options": {
"host_identifier": "hostname",
"config_refresh": 300,
"schedule_splay_percent": 10,
"pidfile": "/var/osquery/osquery.pid",
"database_path": "/var/osquery/osquery.db",
"logger_plugin": "filesystem",
"logger_path": "/var/log/osquery",
"utc": true,
"disable_events": false,
"events_expiry": 3600
},
"schedule": {
"system_info_hourly": {
"query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;",
"interval": 3600
},
"os_version_hourly": {
"query": "SELECT name, version, major, minor, patch FROM os_version;",
"interval": 3600
},
"listening_ports_5m": {
"query": "SELECT pid, port, address, protocol, state FROM listening_ports;",
"interval": 300
},
"installed_packages_6h": {
"query": "SELECT name, version, revision, arch FROM deb_packages;",
"interval": 21600
},
"fim_events": {
"query": "SELECT * FROM file_events;",
"interval": 60,
"removed": false
}
},
"file_paths": {
"etc": ["/etc/%%"],
"binaries": ["/bin/%%", "/sbin/%%", "/usr/bin/%%", "/usr/sbin/%%"],
"logs": ["/var/log/%%"],
"web": ["/var/www/%%"]
},
"exclude_paths": {
"logs": ["/var/log/journal/%%"]
},
"decorators": {
"load": [
"SELECT uuid AS host_uuid FROM system_info;",
"SELECT hostname AS host FROM system_info;"
]
},
"packs": {
"osquery-monitoring": "/usr/share/osquery/packs/osquery-monitoring.conf"
}
}
JSON
**What this does**
* Writes logs to `/var/log/osquery/` in UTC
* Splays (randomizes) schedules to avoid thundering herd on fleets
* Enables eventing and FIM (file event) collection
* Schedules a few safe, useful queries
* Loads the built-in “osquery-monitoring” pack for self-health checks
> Note: `file_events` needs `disable_events=false` (already set). It tracks changes under the `file_paths` categories you defined.
6. ### (Optional) Flags file for early-boot options
Some settings are better as flags. Create `/etc/osquery/osquery.flags`:
sudo tee /etc/osquery/osquery.flags >/dev/null <<'FLAGS'
--config_path=/etc/osquery/osquery.conf
--logger_path=/var/log/osquery
--pidfile=/var/osquery/osquery.pid
--database_path=/var/osquery/osquery.db
FLAGS
> If you later integrate with a central manager (Fleet/Kolide), you’ll add TLS flags here (see the optional section below).
7. ### Enable & start the service
sudo systemctl daemon-reload
sudo systemctl enable --now osqueryd
sudo systemctl status osqueryd --no-pager
**Check logs** :
sudo ls -l /var/log/osquery/
sudo tail -n 100 /var/log/osquery/osqueryd.results.log
sudo journalctl -u osqueryd -n 50 --no-pager
8. ### Try interactive queries
Use the shell for ad-hoc questions:
# Open the interactive shell
sudo osqueryi
# Examples inside osqueryi:
SELECT * FROM system_info;
SELECT name, version FROM deb_packages WHERE name LIKE 'openssh%';
SELECT pid, name, path FROM processes WHERE name='sshd';
SELECT address, port, protocol, pid FROM listening_ports ORDER BY port;
.quit
For machine-readable output:
sudo osqueryi --json "SELECT hostname, cpu_brand, physical_memory FROM system_info;"
9. ### File Integrity Monitoring (FIM) check
With the config above, Osquery watches common paths. Generate a test event:
sudo touch /etc/test-osquery-fim.txt
sudo rm /etc/test-osquery-fim.txt
sudo tail -n 200 /var/log/osquery/osqueryd.results.log | grep file_events | tail -n 5
You should see `file_events` entries for create/delete.
> If you’re also running `auditd` and decide to use Osquery’s audit framework deeply, avoid conflicting configurations. For typical FIM via `file_events`, the default Osquery setup is fine.
10. ### (Optional) Log to syslog/journald
If you prefer central log shipping via rsyslog/journal collectors, set:
sudo sed -n '1,200p' /etc/osquery/osquery.conf | sudo tee /tmp/osq.tmp >/dev/null
sudo jq '.options.logger_plugin="filesystem,syslog"' /tmp/osq.tmp | sudo tee /etc/osquery/osquery.conf >/dev/null
sudo systemctl restart osqueryd
Check syslog:
sudo tail -n 100 /var/log/syslog | grep osquery
11. ### (Optional) Enroll with Fleet (central management)
If you use [FleetDM] or a similar manager, add TLS flags. Replace values with your server details:
# Enroll secret (place provided secret here)
echo "YOUR-ENROLL-SECRET" | sudo tee /etc/osquery/enroll_secret >/dev/null
sudo chmod 600 /etc/osquery/enroll_secret
# Server CA (public cert for your Fleet server)
# Save your PEM to /etc/osquery/fleet.pem
# sudo nano /etc/osquery/fleet.pem
# Add TLS flags
sudo tee -a /etc/osquery/osquery.flags >/dev/null <<'FLAGS'
--enroll_secret_path=/etc/osquery/enroll_secret
--tls_hostname=fleet.example.com:443
--tls_server_certs=/etc/osquery/fleet.pem
# Use TLS for configuration and logging (keep filesystem too for local copies)
--config_plugin=tls
--logger_plugin=tls,filesystem
--config_tls_endpoint=/api/osquery/config
--enroll_tls_endpoint=/api/osquery/enroll
--logger_tls_endpoint=/api/osquery/log
--disable_distributed=false
--distributed_tls_read_endpoint=/api/osquery/distributed/read
--distributed_tls_write_endpoint=/api/osquery/distributed/write
FLAGS
sudo systemctl restart osqueryd
12. ### Hardening & performance tips
* **Least privilege:** Osquery can run as non-root, but many tables require elevated permissions. If you run it as root (default), tightly control who can edit `/etc/osquery/` and read `/var/log/osquery/`.
* **Splay your schedules:** Already enabled to reduce spikes (`schedule_splay_percent`).
* **Tune intervals:** Increase `interval` for heavy queries (e.g., `deb_packages`) to reduce I/O.
* **Log rotation:** Ensure your log manager rotates `/var/log/osquery/*` to prevent disk growth.
* **Packs:** Explore `/usr/share/osquery/packs/` (e.g., incident-response, it-compliance) and enable only what you need.
13. ### Troubleshooting
* Validate config syntax:
sudo osqueryi --config_path=/etc/osquery/osquery.conf --enable_monitor=true --verbose
* Service/logs:
sudo systemctl status osqueryd --no-pager
sudo journalctl -u osqueryd -e --no-pager
sudo tail -n 200 /var/log/osquery/osqueryd.INFO
* Common issues:
* **No`file_events` data:** Make sure `"disable_events": false` is set and you scheduled a query against `file_events`.
* **Repo fetch errors:** Re-download the GPG key and confirm `/etc/apt/sources.list.d/osquery.list` matches your architecture.
* **High CPU from heavy queries:** Increase intervals, remove unneeded packs, or narrow queries.
14. ### Upgrades & removal
* Upgrade with normal apt flows:
sudo apt update && sudo apt -y upgrade
* Remove (keeping config/data):
sudo systemctl disable --now osqueryd
sudo apt -y remove osquery
* Purge (removes config):
sudo apt -y purge osquery
sudo rm -rf /var/osquery /var/log/osquery /etc/osquery
### Quick-install one-liner (optional)
sudo bash -c '
set -e
apt update && apt -y install curl gpg ca-certificates
curl -fsSL https://pkg.osquery.io/deb/pubkey.gpg | gpg --dearmor -o /usr/share/keyrings/osquery-archive-keyring.gpg
ARCH=$(dpkg --print-architecture)
echo "deb [arch=${ARCH} signed-by=/usr/share/keyrings/osquery-archive-keyring.gpg] https://pkg.osquery.io/deb deb main" > /etc/apt/sources.list.d/osquery.list
apt update && apt -y install osquery
systemctl enable --now osqueryd
osqueryi --version
'
#### You’re done!
You now know how to install Osquery on Ubuntu VPS. You now have Osquery installed, scheduled, logging, and ready for deeper monitoring.
See also 🛠️ How to Install and Configure ListMonk on Ubuntu VPS
* * *
### Compare Ubuntu VPS Plans
KVM-SSD-1
KVM-SSD-8
KVM-SSD-16
KVM-SSD-32
CPU
1 Core
2 Cores
4 Cores
8 Cores
Memory
1 GB
8 GB
16 GB
32 GB
Storage
16 GB NVMe
128 GB NVMe
256 GB NVMe
512 GB NVMe
Bandwidth
1 TB
4 TB
8 TB
16 TB
Network
1 Gbps
1 Gbps
1 Gbps
1 Gbps
Delivery Time
⏱️ Instant
⏱️ Instant
⏱️ Instant
⏱️ Instant
Location
US/FR
US/FR
US/FR
US/FR
Price
$7.58*
$39.50*
$79.40*
$151.22*
Order
Order
Order
Order
KVM-SSD-1
CPU: 1 Core
Memory: 2 GB
Storage: 16 GB NVMe
1 TB
Order
KVM-SSD-8
CPU: 2 Cores
Memory: 8 GB
Storage: 128 GB NVMe
4 TB
Order
KVM-SSD-16
CPU: 4 Cores
Memory: 16 GB
Storage: 256 GB NVMe
8 TB
Order
KVM-SSD-32
CPU: 8 Cores
Memory: 32 GB
Storage: 512 GB NVMe
16 TB
Order
* * *
See also How to Install Discourse on Ubuntu VPS
__________________
Add as Preferred Source on Google
How to Install Osquery on Ubuntu VPS This article provides a guide describing how to install Osquery on Ubuntu VPS. What is Osquery? Osquery is a lightweight, SQL-powered agent that lets you query ...
#Guides #Cloud #VPS #osquery #ubuntu #vps
Origin | Interest | Match
0
0
0
0
