Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Also, trying to understand query automation frequency. I have a query that I need to run on all devices ASAP, and if they're not online at the moment run when they are online, but also I don't need to update it frequently. So I set the frequency to weekly, but it doesn't seem to be running on any devices... is "weekly" a set calendar time? I don't see it talked about in the documentation at all.

I'm assuming that the query automations are Fleet-specific, as opposed to the old-style schedules

<https://github.com/fleetdm/fleet/blob/31cd1e89d3f0e97de5dd97796bca007ffc4a866f/server/fleet/scheduled_queries.go> seems to indicate it's an interval, not calendar-based; I wonder why my query isn't logging results. :thinking_face:

When I run it live it is successful, and other queries are logging successfully... the only thing different about this one is it's set to weekly instead of hourly.

I guess I was just being impatient, it's returning data now. Disregard!

For one host, at least. Guessing that weekly interval was set when Fleet was first installed, so they'll trickle in over a week.

Finally found this in the osquery docs:
&gt;&gt; NOTICE: that the interval time in seconds is how many seconds the daemon itself has been running before the scheduled query will be executed. If the system is suspended or put to sleep the progression of time "freezes" and resumes when the system comes back online. For example a scheduled query with an interval of 86400, or 24 hours, running on a laptop system could take a few days before the query executes if the system is suspended at night.

I was searching for that section last night and wasn't even able to find it. But it is on this page: <https://osquery.readthedocs.io/en/stable/deployment/configuration/> right above the <https://osquery.readthedocs.io/en/stable/deployment/configuration/#query-packs> section