Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Does anyone know how long fleet (by default) waits for a client check-in before it marks that client offline?  Also, which client setting controls the 'check-in'?  I'm guessing there may be various client actions that could signal to fleet that a client is online, including a config_refresh, or checking with the distributed query server to check if there are queries to execute (i.e. distributed_interval) and others.  Any guidance?

<https://github.com/kolide/fleet/blob/7494513400b1d15d3e770358350d227ffbe2e4ce/server/kolide/hosts.go#L33>

wouldn't a config refresh or a check for new queries generally flag a client as online?

I think that might be `--config-refresh` on the client side.

There is also <#C1XCLA5DZ|kolide> for these questions that might go further.

The linked code is the duration for MIA (hosts that have not been seen for 30 days). The online status is calculated for each host based on the observed intervals set for `config_refresh`, `logger_tls_period`, and `distributed_interval`. IIRC we give some grace period over the "expected" interval.