Hi everyone I m currently learning osquery and have some que osquery #general

Hi everyone, I'm currently learning osquery and ha...

John Doe

06/13/2024, 4:06 PM

Hi everyone, I'm currently learning osquery and have some questions about how it schedules and executes queries. Specifically, I have several queries within packs that all have the same interval. Here are my questions: 1. Behavior with Same Interval: If all queries have the same interval, what will be the behavior? 2. Execution Order: Does osquery execute the queries sequentially or in parallel? 3. Default Flag for Small/Same Intervals: Is the

schedule_splay_percent

flag enabled by default when using small or identical intervals? My Observations: 1. When queries have the same interval, they are executed within that interval. For example, with a 30-second interval, execution happens within 30 seconds, and with a 60-second interval, it happens within 60 seconds. However, I've noticed that the execution time increases as the interval increases. Why does this happen? 2. It seems like osquery executes the queries sequentially. 3. I couldn't find any information about the

schedule_splay_percent

flag. Any insights or clarifications would be greatly appreciated. Thanks for your help!

Mike Myers

06/13/2024, 5:03 PM

3. I believe the

schedule_splay_percent

default value is 10 (percent), regardless of interval value, based on a look at the code

Mike Myers

06/13/2024, 5:04 PM

2. sequentially is what I would expect too based on my experience

Stefano Bonicatti

06/13/2024, 5:34 PM

1. They get splayed if it's active, otherwise run one after the other. 2. Sequentially among queries that run in the same context (scheduler, distributed/ad-hoc), but otherwise scheduled queries and distributed/ad-hoc queries run in parallel

John Doe

06/13/2024, 7:22 PM

@Mike Myers Thanks for the response. yes, by default value is 10 percent, but do we have to mention that flag or by default it is present. And also 10 percent gets applied on what?

John Doe

06/13/2024, 7:23 PM

Thanks @Stefano Bonicatti for the response. Could you please elaborate point no. 1 little bit

Mike Myers

06/13/2024, 7:41 PM

My understanding is that a value of

percent splay adds a random +/- 10% to each scheduled interval, to avoid all hosts simultaneously returning results to the server

👆 1

Mike Myers

06/13/2024, 7:41 PM

it has a default value of

and I believe that means you don't have to explicitly set it, it will be

unless you set it otherwise

Mike Myers

06/13/2024, 7:44 PM

That's based on my reading of this line https://github.com/osquery/osquery/blob/e4ff72ee0b88e3101ad36cc6328d4634fab7f483/osquery/config/packs.cpp#L37 but not having tested the splay in practice

Stefano Bonicatti

06/13/2024, 7:50 PM

It's also calculated once per query name, and gets updated only if you update the interval of the query, otherwise whatever amount of splay has been randomly chosen once, it's restored everytime (from the RocksDB database)

ty 1

John Doe

06/14/2024, 3:57 AM

@Stefano Bonicatti @Mike Myers It will be a very basic question sorry for that, 1]but can we say that packs are the collection of schedule queries 2] queries are executed in any particular order or osquery choose them randomly or there is some sorting criteria given that interval is same for all queries within all packs

9 Views

Open in Slack

Previous Next