Has anyone had issues with the osquery client creating new sessions at the same interval as tls logger period? We set ssl_session_reuse to true, but that didn't change the behavior
additionally, it looks like when we hit the logger period (10 sec) we see the client connect and sent 10kb of data. This appears to be a check-in only as we only run a handful of queries at this time and most are once per day or maybe once per hour. 10kb of data every 10 seconds becomes a decent amount of bandwidth for 4000 nodes and eventually we are going to scale to 30 or more. Is this 10kb expected? seems like of like a lot of data for just checking in. We are going to increase our logger period to 60 seconds, but wanted to check with the community to see if anyone else has experienced this. I'm struggling to think of what kind of data is being sent each time the client checks for buffered logs if we aren't running any frequent queries.
actually, I think it's our distributed_interval
not logger...makes a lot more sense now
03/17/2021, 4:01 PM
yeah that seems like a lot of data for a checkin, did you figure it out?
03/17/2021, 4:57 PM
Not quite @theopolis, we did change our distributed_interval from 10 to 300 and I'm waiting on the network team to tell me what affect that's had. Are decorator queries run when the client checks in for either config refresh or on the distributed interval?
this is all we have in options for that
- SELECT uuid AS host_uuid FROM system_info;
- SELECT hostname AS hostname FROM system_info;
which looks like at load time to me
also - does distributed interval affect ad-hoc queries run from the UI?
nm, distributed_interval is all about those ad-hoc (aka distributed) queries. might have to do a TCP dump and see what's going on with these check ins