Hi! I'm playing around with the distributed queries. I got the daemon to

read

(I saw that in the osqueryd logs) but I do not get the daemon to

write

or even show something like this:

Executing distributed query: kolide_detail_query_os_version: select * from os_version limit 1

I'm not using the fleet server, doing an experiment haha. I

disable_distributed=false

and the result of the

/distributed/read

is this one:

{
  "queries": {
    "dad0f587-abf3-4278-8664-7bc6fa8a8b762": "select * from system_info"
  },
  "node_invalid": false
}

What could be misconfigured in the daemon to not write data?

This looks like invalid json

Sorry, I copied it wrong. There it is updated.

That looks correct. You have

--verbose --tls_dump

on? Have you configured

--distributed_tls_write_endpoint

?

I'm using

--verbose

, not using

tls_dump

and yes I've configured

distributed_tls_write_endpoint

.

Using

tls_dump

will help you see exactly what osquery is reading and writing with the server.

Cool. I'll troubleshoot with that flag.

🍻