Hey Folks, I have 3k osquery enrolled in kolide fleet, and I’m aiming for 50k machines to be enrolled. But from my test group i started to see some issues with kolide fleet(open source) which i can clarify later. My question is there anyone managed to have a large fleet of osquery managed and what was your solution? How do you handle results of interactive queries, do they get logged or pushed to the browser? Appreciated
Hi @Ahmed, for Kolide related questions I recommend asking in the #kolide channel. That being said, if you are interested in professional support for standing up large instances of Kolide Fleet, @zwass is one of the original contributors of osquery and built a large portion of Kolide Fleet. He now operates as an osquery/fleet consultant and has helped other organizations scale and customize their Fleet instances. I would recommend you get in touch with him.
Thanks a lot for the recommendation, i definitely will do that. But my question here also have anyone else managed to have a large deployment and what what their solution?
A common pattern to scale is to use a tiered pub/sub and aggregate data per site before sending it up the chain. Don't think osquery support's this but since there is a client API writing something like this wouldn't be too challenging. If you want it to work with Kolide Fleet then it's most likely a larger undertaking. But the nice thing is that you're scaling at the pub/sub level which most large scale infrastructures already use something like Kafka.