Is it possible to store differential logs in the batch format? The logging option in the save query dialog only shows snapshot vs differential https://osquery.readthedocs.io/en/stable/deployment/logging/#differential-logs

What's the batch format? Those choices represent what osquery itself supports, AFAIK.

It's in the link:

There are two format options, single, or event, and batched.

More info: https://osquery.readthedocs.io/en/stable/deployment/logging/#batch-format

Today I learned. Thanks! It looks like that is only available to be controlled via that

--logger_event_type=false

command line flag, and not in the config like the other options.

The only real difference is for tables with multiple entries per host, it's just a single JSON object per host in the log instead of one per event. Not a huge deal, but might be a little more efficient to parse.

@John Speno Is correct there, the 'batch' behavior is controlled through the osquery config with

--logger_event_type

rather than set for the individual query. That's why you don't see that option when saving the query in Fleet. The three options you have there represent the possible combinations of these two values in the query object in the osquery schedule key: • `removed`: a boolean to determine if "removed" actions should be logged, default true • `snapshot`: a boolean to set 'snapshot' mode, default false

So this would probably work: https://fleetdm.com/docs/configuration/agent-configuration#command-line-flags

Should do, yes. I haven't personally tested it, but all roads point in that direction.