I recall that `osquery schedule` is really only supposed to

Question

I recall that `osquery schedule` is really only supposed to keep track of stats on schedule queries for the life of the osqueryd daemon Even given that we only see three fields filled out name query interval and everything else is 0 across tens of thousands of machines

HarlanF · Answer

Is tracking this incompatible with certain configurations possibly Yes I do have schedule queries looking at this table and I ve also used ` connect var osquery osquery em` in order to acces stats from osqueryd Mostly zeroes

John Speno · Answer

The values you see are the defaults in the source <https github com osquery osquery blob master osquery tables utility osquery cpp L240> so it looks like no scheduled queries have run to change those values That seems unlikely I m sure But what `interval` values are you seeing

HarlanF · Answer

I didn t check them against the files but at quick glance the interval values seem correct

HarlanF · Answer

We re outputting to kafka and there s tons of results in there I ve never once seen a non zero in that table but for the three fields I mentioned above

seph · Answer

Is this a stock osquery or something weird I wonder if this one of the areas that fragile to being renamed

HarlanF · Answer

Stock I mean we have configuration but we installed from RPM distribution

HarlanF · Answer

And been like this forever least a couple years

seph · Answer

Assuming it s an osquery RPM that sounds pretty stock to me

HarlanF · Answer

If you can think of anything I can test please let me know Maybe on a test machine I ll try stopping it wiping its database state clean and seeing how minimal a configuration I can start it up with to see if it ll behave differently

HarlanF · Answer

Would you like me to file a bug report in gitlab

HarlanF · Answer

< seph> <https github com osquery osquery issues 8007>