The TLS cert for my fleet instance expired, then the endpoints that were started after this event could not retrieve the agent config from Fleet which contained the Firehose configuration among others, then they could not send their status and result logs to Firehose stream. Is there a way to make this configuration cached in the endpoint for sometime so if a problem like this happens, the endpoints can still send their results to the destination?

Hey @Vinny! Are you setting Firehose as your logging destination through Fleet, or directly from osquery?

@Kathy Satterlee I have osquery sending directly to firehose

In that case, I would set up a local flag file and pass that to osquery on start. Those flags would be used until/unless overridden with the remote config.

Yes, that is what I thought would be an alternative....thank you

No problem!

hi @Kathy Satterlee. Is it possible to use decorators in the flags file?

I don’t believe it would be possible to do that and still fetch config from Fleet, but I’ll look in to it a bit later today to confirm.