Hi does anybody know if the buffered events are sent in any osquery #general

Hi , does anybody know if the buffered events are ...

Juan Alvarez

04/22/2022, 3:48 PM

Hi , does anybody know if the buffered events are sent in any specific order? In example, i have some hundreds agents collecting events (in this case, collecting from the

syslog_events

table). osquery is configured to send to a tls endpoint, and the tls endpoint stops working for 3 hours. Once the tls endpoint is responsive again, osquery starts sending data but, will it come in any order? Will it start sending older events first and newer after? Or will the order be random? Thanks!

Stefano Bonicatti

04/22/2022, 4:12 PM

It will restart sending them in the order of the oldest first

Juan Alvarez

04/22/2022, 4:15 PM

and will priorize them over the new ones? In example, if i have a constant 100EPS, will it send the older ones when it has room to do so?

Juan Alvarez

04/22/2022, 4:16 PM

because new events will keep coming in all the time

Stefano Bonicatti

04/22/2022, 4:32 PM

It’s not a matter of prioritization, there’s a single queue of JSON serialized events that gets sent to the TLS service. Keep in mind though that this order is based on when the events has been serialized in the DB which might not be the same order of when it actually has been generated

Stefano Bonicatti

04/22/2022, 4:34 PM

That been said, if we are not talking about having a total order that precisely respects when they are generated, then again, the buffered logger sends the logs from oldest to newest

Juan Alvarez

04/22/2022, 4:39 PM

i see, so while there are still pending events to send, the new events will keep getting added to the queue, and will only be sent after all the older events are sent.

Stefano Bonicatti

04/22/2022, 4:39 PM

yes

Juan Alvarez

04/22/2022, 4:40 PM

understood, thanks!

42 Views

Open in Slack

Previous Next