Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
j
jackjack
05/24/2021, 5:34 PMhowdy channel 🙂 wonder what everyone is using to monitor the running status of osqueryd these days? cron? osqueryctl? launchtl? ps-aux? thank you
s
seph
05/24/2021, 6:17 PMNot to be snide, but what does monitoring mean?
Something like launchd or systemd is going to aim to keep the local binary running, but isn’t really going to have visibility into it’s state.
When I’m trying to monitor whether an agent is healthy, if I have a TLS server, I’m going to use that. Run a distributed query, or look at the last time it hit an endpoint, etc.
If I’m trying to monitor for resource usage, I’m going to use a mix of traditional SRE/OPS tools, and I’m going to use osquery to introspect itself.
j
jackjack
05/24/2021, 6:19 PMfair question 🙂 I mean to make sure osqueryd is running.
I'm going to use osquery to introspect itself.s
seph
05/24/2021, 6:25 PMAnything that’s running osquery as a daemon will make sure it’s running. None of them will make sure it’s working correctly. That’s much more nebulous
If I was trying to diagnose a performance issue, I would look at
osquery_schedule