Hi all - If I remember right, there's a way to keep a cache of query results in Fleet so that I can view the query data of a host that was online when the query was performed, but is now offline. How would I go about configuring that (assuming that's available in Community edition). Edit: The query results per-host is what I'm looking for (https://fleetdm.com/releases/fleet-4.42.0) - just not sure how to configure that.

Hey @Mike S., do you have this in under your host record > Queries? Is this what you're looking for?

Hi Dale - I do, but is it possible to see the cached results for all systems?

If you look at the query's detail page, you should have the aggregated results there.

Nailed it, thank you!

Any time!

One more question on this - I have the query set to run every hour, but no results are coming back. When I run a live query, I get results. Is there a setting I'm missing to have the query populate on the hourly interval?

Is there an interval set for the query?

Yep, set to run every hour.

Can you see any errors in the Fleet server logs related to osquery logging? Do the scheduled query results show up in the osquery result logs, or are those missing as well?

Hi @Kathy Satterlee sorry for the delay in responding - I don't see any errors in the Fleet server logs that I think are related to this. The results show up in a live query, but not in scheduled results. I do see where this worked previously in our deployment, but that was months ago.

Are you using plain osquery, or

fleetd

?

fleetd

Gotcha. Can you grab the logs for one host that we'd expect this query to run on?

Sure - I'll DM.

Looking at the logs and I do see the query running, but it looks like you've got osquery configured to send logs directly to firehose rather than Fleet, which is why you're not seeing the cached results.

Ah, that'll do it!

Any time!