The surveilr osQuery Integration Pattern provides a seamless method to integrate any surveilr-managed database into osQuery using the Automatic Table Construction (ATC) pattern. This allows organizations to query and analyze data from a variety of sources—collected and standardized within surveilr—via osQuery’s SQL interface.

osQuery Integration Pattern

Surface surveilr RSSD tables via osQuery

osQuery Integration Pattern

osQuery Integration Pattern

By leveraging the ATC JSON pattern, users can automatically surface custom tables in osQuery to interact directly with the content stored in surveilr's Resource Surveillance State Database (RSSD). This enables osQuery to dynamically join data from multiple sources (emails, logs, compliance evidence, PLM/CRM systems, etc.), providing powerful querying capabilities for security audits, compliance reporting, and decision-making.

Use the SQL

Unified Data Access

The integration allows organizations to leverage surveilr as a universal data aggregator, pulling from a multitude of data sources. osQuery users benefit from this by gaining a unified interface to query all of the data—regardless of where it originally came from—using standard SQL.

Edge-Based Security

Since surveilr employs a local-first, edge-based approach, sensitive data is handled securely at the source, before it is ever integrated into the central system or osQuery tables. This enhances data security by reducing the risks associated with transferring sensitive information over networks.

Seamless Extensibility with ATC

The Automatic Table Construction (ATC) pattern simplifies extending osQuery’s capabilities. No need to write complex C++ extensions or plugins. Instead, users define custom tables in JSON format, making it easy to add new data sources or modify the structure of the tables without redeploying osQuery.