I have 3k osquery enrolled in kolide fleet, and I’m aiming for 50k machines to be enrolled. But from my test group i started to see some issues with kolide fleet(open source) which i can clarify later. My question is there anyone managed to have a large fleet of osquery managed and what was your solution? How do you handle results of interactive queries, do they get logged or pushed to the browser?
12/23/2019, 1:30 AM
Hi @Ahmed, for Kolide related questions I recommend asking in the #kolide channel.
That being said, if you are interested in professional support for standing up large instances of Kolide Fleet, @zwass is one of the original contributors of osquery and built a large portion of Kolide Fleet.
He now operates as an osquery/fleet consultant and has helped other organizations scale and customize their Fleet instances. I would recommend you get in touch with him.
12/23/2019, 6:31 AM
Thanks a lot for the recommendation, i definitely will do that. But my question here also have anyone else managed to have a large deployment and what what their solution?
01/03/2020, 5:36 AM
A common pattern to scale is to use a tiered pub/sub and aggregate data per site before sending it up the chain. Don't think osquery support's this but since there is a client API writing something like this wouldn't be too challenging. If you want it to work with Kolide Fleet then it's most likely a larger undertaking.
But the nice thing is that you're scaling at the pub/sub level which most large scale infrastructures already use something like Kafka.