Also wondering, what are some of the larger fleets out there, and gotcha’s, issues etc that might be faced? We’re looking at a 50-80k node fleet (mostly Linux, some Mac, mostly in one region but overall globally distributed). My current thinking for alternative is to tely mostly on scheduled queries for most of what we’re after, running osquery queries direct via batch ssh when needed, logging out to a local file which is forwarded to aggregation like other system logs. Keen to hear experience & thoughts.

We’re looking at a 50-80k node fleet (mostly Linux, some Mac, mostly in one region but overall globally distributed)

We know of users that are using fleet with 100k+ devices. And (last I checked) we generally load test each release of fleet with ~100k devices.

My current thinking for alternative is to tely mostly on scheduled queries for most of what we’re after

Fleet support scheduled queries (and grouping them by packs). https://fleetdm.com/docs/using-fleet/faq#scheduled-queries

running osquery queries direct via batch ssh when needed

No need for ssh. Fleet has support for what we call "live queries", basically allows you to write a query and execute it on all (or a subset) of the online hosts.

Thanks @Lucas Rodriguez My ‘alternatives’ were ideas for a non-fleet world - where we could perhaps utilise osquery without fleet.

Glad to hear our docs are helpful!