Ever opened Activity Monitor on your Mac and wondered what is really going on under the hood? You see numbers for Memory Used, Cached Files, and Swap, but you cannot query them, alert on them, or ship them to your SIEM. That is where osquery changes the game.
Osquery turns your operating system into a SQL database. Every Mac becomes a set of tables you can query with SQL. And one of the most useful tables for performance troubleshooting and security monitoring is the osquery memory_info table macOS.
If you are a sysadmin, a detection engineer, or just a Mac power user who likes data, understanding the memory_info table gives you a direct line into how osquery memory_info table macOS manages RAM in real time. You can spot memory leaks, detect suspicious resource usage, and build fleet-wide visibility without installing heavy agents.
In this guide we will dig into the osquery memory_info table macOS. We will cover what it is, what each column means, how Apple’s memory model works, practical queries you can run today, and how to use it for monitoring and detection. Let’s get into it.
ALSO READ: Music As Hobby: Finding Joy Between The Notes
What Is Osquery And Why Use It On MacOS?
Before we jump into memory_info, a quick refresher. Osquery is an open source tool originally built by Facebook. It exposes your OS as high-performance relational tables. You write SQL, osquery returns rows.
On osquery memory_info table macOS, this is powerful because the system does not give you many native ways to script access to low level stats. With osquery you can:
- Ask questions on demand:
SELECT * FROM memory_info; - Schedule queries: Run checks every 60 seconds and log the results
- Integrate with tools: Send results to Splunk, ELK, or Sentinel
- Build detections: Alert when memory pressure spikes or swap grows
No custom scripts, no parsing plist files, just SQL. The memory_info table is available by default in every osquery memory_info table macOS. No configuration needed.
Understanding The Osquery Memory_Info Table MacOS: Columns Explained
The osquery memory_info table macOS maps directly to Apple’s vm_statistics64 data. This is the same data Activity Monitor uses, but osquery makes it queryable.
Here is the full schema as of osquery 5.x. Each row represents a snapshot of system memory at query time. The table always returns exactly one row.
| Column | Description | Why It Matters |
|---|---|---|
physical_memory | Total physical RAM installed in bytes | Baseline for all % calculations |
memory_pressure | Apple’s memory pressure metric: 0 to 100 | High values mean the system is struggling |
free | Bytes of RAM marked as free and not in use | Low free is not always bad on macOS |
active | Bytes in active use by running processes | Memory apps are actively touching |
inactive | Bytes that were active but are not recently used | Can be reclaimed quickly if needed |
wired | Bytes that cannot be paged out to disk | Kernel + some app memory. Never goes to swap |
speculative | Bytes used for speculative file reads | macOS prefetches files it thinks you will need |
throttled | Bytes that are throttled by the system | Related to memory pressure response |
purgeable | Bytes that can be purged by the kernel | Cache that can be dropped instantly |
file_backed | Bytes backed by files on disk | App code, memory-mapped files |
anonymous | Bytes not backed by files | Heap, stack, malloc’d memory |
swap_total | Total swap space configured in bytes | 0 if swap is disabled |
swap_free | Bytes of swap space currently free | Swap_total – swap_used |
page_ins | Total page-in events since boot | Reading from disk into RAM |
page_outs | Total page-out events since boot | Writing from RAM to disk/swap |
Key insight: osquery memory_info table macOS tries to use as much RAM as possible. So free memory is often low by design. Look at memory_pressure, swap_free, and wired for real health signals instead.
How MacOS Memory Management Differs From Linux And Windows
To use the memory_info table effectively, you need to understand Apple’s philosophy.
Free RAM is wasted RAM: osquery memory_info table macOS aggressively caches files in inactive and speculative. If you launch Chrome again, it loads instantly.
Memory Pressure is the truth: Apple calculates a 0 to 100 score based on free, file cache, and swap. Green is 0 to 50, Yellow is 50 to 75, Red is 75 to 100. You can see this in Activity Monitor. memory_info.memory_pressure gives you that number.
Compressed memory: Instead of swapping right away, osquery memory_info table macOS compresses inactive pages. This shows up in app_memory in Activity Monitor but is not exposed directly in memory_info. You will see it indirectly as low page_outs.
Wired memory cannot swap: Kernel extensions, drivers, and some security tools use wired. If wired keeps growing, you may have a kernel leak.
This is why you cannot just alert on free < 10% like on Linux. Use memory_pressure > 75 or swap_free < 500MB as better indicators.
Practical Osquery Queries For Osquery Memory_Info Table MacOS
Let’s put the table to work. You can run these in osqueryi for testing, or add them to your scheduled query packs.
Basic Memory Snapshot in GB
Raw bytes are hard to read. Convert them to gigabytes for quick checks.
SQL
SELECT ROUND(physical_memory / 1073741824.0, 2) AS physical_gb, ROUND((physical_memory - free) / 1073741824.0, 2) AS used_gb, ROUND(wired / 1073741824.0, 2) AS wired_gb, ROUND(swap_total / 1073741824.0, 2) AS swap_total_gb, ROUND(swap_free / 1073741824.0, 2) AS swap_free_gb, memory_pressureFROM memory_info;3 lines hidden
This gives you a dashboard view in one line.
Calculate Memory Pressure Like Activity Monitor
Want the % used that actually matters? Use this:
SQL
SELECT memory_pressure AS pressure_score, CASE WHEN memory_pressure < 50 THEN 'Green' WHEN memory_pressure < 75 THEN 'Yellow' ELSE 'Red' END AS pressure_status, ROUND(100.0 * (wired + active) / physical_memory, 1) AS active_wired_percentFROM memory_info;4 lines hidden
Alert when pressure_status = 'Red' and it stays there for 5 minutes.
Detect Swap Usage Spikes
Swap on macOS means you are out of compressible memory. It kills SSDs over time and slows the system.
SQL
SELECT ROUND((swap_total - swap_free) / 1073741824.0, 2) AS swap_used_gb, page_outsFROM memory_infoWHERE swap_total > 0 AND swap_free < 1073741824;This returns rows only when less than 1 GB of swap is free. Schedule it every minute and alert on new results.
Track Wired Memory Growth Over Time
A steady increase in wired often means a kernel extension leak. Log this query with osquery’s differential logging:
SQL
SELECT wired, ROUND(wired / 1073741824.0, 2) AS wired_gbFROM memory_info;Then graph wired_gb in your SIEM. A sawtooth pattern is normal. A staircase that never goes down is a problem.
Join With Processes for Context
memory_info is system-wide. To find the culprit, join with processes using virtual memory size.
SQL
SELECT p.pid, p.name, ROUND(p.resident_size / 1073741824.0, 2) AS rss_gb, m.memory_pressureFROM processes p, memory_info mWHERE p.resident_size > 1073741824ORDER BY p.resident_size DESCLIMIT 5;4 lines hidden
This shows the top 5 processes by RAM when you check memory pressure. Great for incident response.
Using Memory_Info For Security And Detection On MacOS
Beyond performance, memory_info helps with security use cases:
Detect Cryptominers and Resource Abuse
Miners want all your RAM and CPU. Look for sustained memory_pressure > 80 plus high page_outs growth. Combine with processes where name = 'xmrig' or high cpu_time.
Identify Memory Scraping Malware
Some malware allocates large anonymous memory to dump LSASS-like data on osquery memory_info table macOS. You will not see anonymous directly, but you will see wired + active jump while file_backed stays flat.
Spot Runaway Kernel Extensions
If wired memory climbs 200 MB every hour and never drops, you likely have a buggy kext. Use osquery’s kernel_extensions table to correlate which one loaded recently.
Compliance: Ensure Swap Is Encrypted
FileVault on modern osquery memory_info table macOS encrypts swap automatically. But you can verify swap is active and monitor it. If swap_total = 0 on a laptop, that might violate your policy.
Performance Monitoring Tips With Osquery Memory_Info
Here are 3 field-tested tips for fleet monitoring:
Do not poll too fast: Reading vm_statistics64 has a tiny CPU cost. Once every 30 to 60 seconds is plenty. More than that and you are adding noise.
Use differential queries: In your osquery config, set differential: true for memory_info queries that look for changes, like swap growth. You only get a log when the value changes.
Baseline each machine: A 16 GB MacBook Air and a 128 GB Mac Studio have different normals. Calculate used_percent and alert on deviation, not absolute GB.
Common Gotchas When Querying Memory_Info On MacOS
Watch out for these when you start building detections:
Gotcha 1: Free memory is always low
Do not alert on it. osquery memory_info table macOS fills RAM with cache on purpose. Trust memory_pressure instead.
Gotcha 2: Page_ins go up during normal use
Launching apps causes page_ins. Alert on page_outs rate instead. Page outs mean you are actually short on RAM.
Gotcha 3: Values are in bytes, not pages
Some old documentation says wired is in pages. In osquery it is always bytes. Divide by 1073741824 to get GB.
Gotcha 4: One row onlySELECT * FROM memory_info WHERE free < 1000000 will either return 1 row or zero rows. You cannot use it to get historical data unless you log it yourself.
Conclusion
The osquery memory_info table macOS gives you scriptable, reliable access to the same memory data Apple uses internally. You do not have to guess what Activity Monitor means anymore. You can query it, log it, and alert on it.
Remember the big ideas: focus on memory_pressure and swap_free over free. Watch wired for kernel leaks. Join with processes to find the cause. And always convert bytes to GB so your team can actually read the results.
Start with the queries in this article. Add them to your osquery schedule. In a week you will have a baseline for your fleet. In a month you will catch that first runaway process before a user submits a ticket.
Osquery turns osquery memory_info table macOS from a black box into a SQL table. Now you know how to dig in.
FAQs
What is the osquery memory_info table on macOS?
The memory_info table in osquery is a virtual table that exposes osquery memory_info table macOS system memory statistics. It returns one row with columns like physical_memory, free, wired, memory_pressure, and swap_free. It pulls data from the same kernel source Activity Monitor uses, so you can query RAM usage with SQL.
How often should I query memory_info in production?
Every 30 to 60 seconds is a good balance. Querying more frequently adds CPU overhead for no real benefit because memory stats do not change that fast. For alerting, use osquery’s differential logging to only record when key values like memory_pressure or swap_free change.
Why is free memory always low on my Mac in osquery?
This is normal for osquery memory_info table macOS. The system uses free RAM for file caching and speculative loading to make apps launch faster. A low free value does not mean you have a problem. Check memory_pressure instead. Green or Yellow is fine. Only Red means the system is under real memory stress.
Can I see per-process memory usage with memory_info?
No, memory_info is system-wide only. To see per-process usage, query the processes table and look at resident_size, total_size, or wired_size. You can join processes and osquery memory_info table macOS to get both system pressure and the top memory consumers.
Does memory_info work on Apple Silicon and Intel Macs?
Yes. The osquery memory_info table macOS both Apple Silicon M1, M2, M3 and Intel Macs running any osquery version 3.3.0 or newer. The column names and meanings are the same. The underlying values come from vm_statistics64, which Apple provides on all architectures.
ALSO READ: The ETrueSports Newsletter: Your Weekly Playbook
Daniel Harper is a skilled content writer specializing in technology and digital trends. At Saxby.org, he creates clear, well-researched, and trustworthy articles that help readers stay informed and make better decisions.
