Hey everyone, I haven't been able to answer this i...
# generalg
Georgios
09/12/2024, 7:03 PMHey everyone, I haven't been able to answer this in the documentation. When we run a differential query how long back does OSquery keep track of the previous results? Is it just the previous run? Is it 24 hours? Also where is that state stored? Locally on each system?
s
Stefano Bonicatti
09/12/2024, 7:14 PMYou can find documentation here: https://osquery.readthedocs.io/en/latest/deployment/logging/#differential-logs, where it mentions that it's always between the previous run and the current run.
So it only stores one run, and it does so in RocksDB, locally.
Stefano Bonicatti
09/12/2024, 7:14 PMyou may also want to check: https://osquery.readthedocs.io/en/latest/deployment/logging/#schedule-epoch
g
Georgios
09/12/2024, 8:12 PMThank you @Stefano Bonicatti is there a way to extend that window?
s
Stefano Bonicatti
09/12/2024, 8:15 PMNo you can't, but I also wonder to what end?
Stefano Bonicatti
09/12/2024, 8:15 PMThe mechanism is to provide a difference between two points in time only.
g
Georgios
09/12/2024, 8:17 PMMy usecase would be I only want to get new connections. I don't care if my host is always connecting to another server continuously. In this set up I will not get the connection every other query run. I was looking more for I only get this network connection once