Does anyone know how long fleet (by default) waits for a client check-in before it marks that client offline? Also, which client setting controls the 'check-in'? I'm guessing there may be various client actions that could signal to fleet that a client is online, including a config_refresh, or checking with the distributed query server to check if there are queries to execute (i.e. distributed_interval) and others. Any guidance?

thanks

I think that might be

--config-refresh

on the client side.

ack, thanks again.

The linked code is the duration for MIA (hosts that have not been seen for 30 days). The online status is calculated for each host based on the observed intervals set for

config_refresh

,

logger_tls_period

, and

distributed_interval

. IIRC we give some grace period over the "expected" interval.