Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
d
Dan Achin
03/16/2021, 8:18 PMHas anyone had issues with the osquery client creating new sessions at the same interval as tls logger period? We set ssl_session_reuse to true, but that didn't change the behavior
additionally, it looks like when we hit the logger period (10 sec) we see the client connect and sent 10kb of data. This appears to be a check-in only as we only run a handful of queries at this time and most are once per day or maybe once per hour. 10kb of data every 10 seconds becomes a decent amount of bandwidth for 4000 nodes and eventually we are going to scale to 30 or more. Is this 10kb expected? seems like of like a lot of data for just checking in. We are going to increase our logger period to 60 seconds, but wanted to check with the community to see if anyone else has experienced this. I'm struggling to think of what kind of data is being sent each time the client checks for buffered logs if we aren't running any frequent queries.
actually, I think it's our distributed_interval
not logger...makes a lot more sense now
t
theopolis
03/17/2021, 4:01 PMyeah that seems like a lot of data for a checkin, did you figure it out?
d
Dan Achin
03/17/2021, 4:57 PMNot quite @theopolis, we did change our distributed_interval from 10 to 300 and I'm waiting on the network team to tell me what affect that's had. Are decorator queries run when the client checks in for either config refresh or on the distributed interval?
this is all we have in options for that
decorators:
load:
- SELECT uuid AS host_uuid FROM system_info;
- SELECT hostname AS hostname FROM system_info;
always:
- >-which looks like at load time to me
also - does distributed interval affect ad-hoc queries run from the UI?
nm, distributed_interval is all about those ad-hoc (aka distributed) queries. might have to do a TCP dump and see what's going on with these check ins