👋 Hi again everybody. Does anybody know what the config precedence order is for flags vs. config plugins (i.e. TLS-based config/options)? or a way to read the actual, running configuration of an osquery node?

sudo osqueryi

doesn't seem to be showing actual configuration in .show/.summary

If you have live query capability, try

select * from osquery_flags

ah thanks @zwass I swear it used to pick up some of config via .show/.summary, but maybe my brain isn't working as well as I hoped

You could pick up some of the osqueryi configuration by selecting from the

osquery_flags

table. But it wouldn't be the same config (unless loading from the same flag/config files)

hmm ok so no real way to query a running 'osqueryd' config outside of an

osquery_flags

distributed query from Fleet? (love Fleet btw, thanks for such a great OSS project).

You could connect to the extensions socket locally and run that same query

awesome! thanks. looking for an excuse to play with osquery-go