Fast and efficient osquery management.

osctrl is a fast and efficient osquery management solution, implementing its remote API as TLS endpoint.

With osctrl you can:

• ✨ Monitor all your systems running osquery
• 📦 Distribute its configuration fast
• 📊 Collect all the status and result logs
• ⚡ Run on-demand queries
• 🗂️ Carve files and directories
• ⚙️ Scale from hundreds to hundreds of thousands of nodes

Whether you’re running a small deployment or managing large fleets, osctrl gives you visibility and control over your osquery endpoints without compromising security or performance.

You can find the documentation of the project in https://osctrl.net

osctrl/
├── cmd/                         # Service and CLI entrypoints
│   ├── admin/                   # osctrl-admin (web UI + admin handlers/templates/static)
│   ├── api/                     # osctrl-api (REST API service)
│   ├── cli/                     # osctrl-cli (operator CLI)
│   └── tls/                     # osctrl-tls (osquery remote API endpoint)
├── pkg/                         # Shared application packages
│   ├── auditlog/                # Audit log manager
│   ├── backend/                 # DB manager/bootstrap
│   ├── cache/                   # Redis/cache managers
│   ├── carves/                  # File carve logic/storage integrations
│   ├── config/                  # Config structs/flags/validation
│   ├── environments/            # Environment management
│   ├── handlers/                # Shared HTTP handlers
│   ├── logging/                 # Log pipeline + logger backends
│   ├── nodes/                   # Node state/registration/cache
│   ├── queries/                 # Query management/scheduling/results
│   ├── settings/                # Runtime settings
│   ├── tags/                    # Tag management
│   ├── users/                   # User and permissions management
│   ├── utils/                   # Utility helpers
│   ├── types/                   # Shared type definitions
│   └── version/                 # Version metadata
├── deploy/                      # Deployment configs/scripts (docker/nginx/osquery/systemd, CI/CD, redis, config, helpers, etc.)
├── tools/                       # Dev/release helpers and API test assets (Bruno collections, scripts)
├── bin/                         # Built binaries (from make)
├── docker-compose-dev.yml       # Local multi-service development stack
├── Makefile                     # Build/test/dev targets
└── osctrl-api.yaml              # OpenAPI specification for osctrl-api

flowchart LR
    A["osquery Agents"] -->|TLS Remote API| T["osctrl-tls"]
    O["Operators"] -->|Web UI| W["osctrl-admin"]
    O -->|CLI| C["osctrl-cli"]
    O -->|REST| P["osctrl-api"]

    W -->|HTTP API| P
    C -->|HTTP API| P

    T --> S["Shared Packages (pkg/*)"]
    W --> S
    P --> S
    C --> S
    C -.->|Direct DB mode| D

    S --> D["PostgreSQL Backend"]
    S --> R["Redis Cache"]
    S --> L["Log Destinations (DB, file, S3, Elastic, Splunk, Graylog, Kafka, Kinesis, Logstash)"]
    S --> F["Carve Storage (DB, local, S3)"]

The fastest way to get started with osctrl development is by using Docker and Docker Compose. But you can find other methods below.

You can use docker to run osctrl and all the components are defined in the docker-compose-dev.yml that ties all the components together, to serve a functional deployment.

Ultimately you can just execute make docker_dev and it will automagically build and run osctrl locally in docker, for development purposes.

Using the provided deploy/provision.sh script, you can set up a development environment on your local machine. This script will install all necessary dependencies and configure the environment for osctrl development in a latest Ubuntu LTS system.

Check the documentation for more details on how to use the provisioning script.

Ultimately the script can also be used to deploy osctrl in production systems, please refer to the documentation for more details.

To build osctrl from source, ensure you have Go installed (version 1.25 or higher is recommended). Then, clone the repository and run the following commands:

git clone https://github.com/jmpsec/osctrl.git
cd osctrl
make

This will compile all the osctrl components (osctrl-tls, osctrl-admin, osctrl-api, osctrl-cli), placing the binaries in the bin/ directory.

Find us in the #osctrl channel in the official osquery Slack community (Request an auto-invite!)

osctrl is licensed under the MIT License.

This is a security-sensitive project. Please read the SECURITY.md for vulnerability reporting and responsible disclosure guidelines.

We ❤️ contributions!

Feel free to fork the repository and submit pull requests. For major changes, please open an issue first to discuss what you would like to change.