It seems like the osqueryi (at least earlier releases) is a separate binary and it's smaller than osqueryd. I'm thinking about including it in an app, and need the smaller version (30 mb vs 100 mb).
How to build just osqueryi ?
It seems like the osqueryi (at least earlier releases) is a separate binary and it's smaller than osqueryd. I'm thinking about including it in an app, and need the smaller version (30 mb vs 100 mb).
How to build just osqueryi ?
Share Improve this question edited Feb 2 at 0:46 halfer 20.3k19 gold badges109 silver badges202 bronze badges asked Feb 1 at 23:54 Helge HannisdalHelge Hannisdal 113 bronze badges 1- This question is rather brief. What have you tried so far? Is there anything in the manual about this? – halfer Commented Feb 2 at 0:47
1 Answer
Reset to default 0osqueryi isn't separate, it's the same binary with a different name (or in some cases a symlink). You can also invoke the same mode by using the -S argument. As in: osqueryd -S
As for size, ignoring the symlink case, they should be the same size. Osquery statically links it's dependancies in, so there's not a lot to trim out. If you're on linux, you might be able to strip the debugging symbols out.
If you're really tight on space, you could look at upx for binary compression. I don't know anyone who uses it for osquery, but it ought work...