if osquery runs a scheduled query and the tls endpoint is no

Question

if osquery runs a scheduled query and the tls endpoint is not reachable at that time the results are sent as soon as the connection to the tls endpoint is estabilished

seph · Answer

Yes osquery buffers logs until it can send them I don t remember what the max amount buffered is but it should handle some outage

vaar · Answer

and if the host is turned off the schedule will start from the osquery process start time or the missing scheduled query are resumed

seph · Answer

What host If the endpoint is turned off there is nothing missed If the logging destination is offline the logs are bugged until they can be sent

vaar · Answer

I mean the host where osquery is running

vaar · Answer

if a scheduled query was planned for the next 5 min and the machine is off the query is just missed or it will run after 5 minutes from the osuqery process start time

seph · Answer

If the host is turned off than what is missing

vaar · Answer

let s say that there is scheduled query every 12 hours 12 hours is calculated from the osquery process start time so afther 10 hours the machine is turned off and than come back after 5 so the scheduled query is just skipped So now that the machine is online again the scheduled query runs after 12 hours from the osquery process start or what

Zach Zeid · Answer

I believe the scheduled query happens from the time the osqueryd service is running

Zach Zeid · Answer

so it s be the query runs 12 hours after the osqueryd process is started

vaar · Answer

so the query is scheduled again after 12 hours

seph · Answer

It should run roughly every 12h of uptime

seph · Answer

I d have to double check code or docs

zwass · Answer

The schedule will restart with the osquery process start time If the host is sleeping so the osquery process is not terminated no time passes in the schedule

zwass · Answer

6 on <https dactiv llc blog 10 pitfalls on the path to osquery bliss >