Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Also wondering, what are some of the larger fleets out there, and gotcha’s, issues etc that might be faced? We’re looking at a 50-80k node fleet (mostly Linux, some Mac, mostly in one region but overall globally distributed). My current thinking for alternative is to tely mostly on scheduled queries for most of what we’re after, running osquery queries direct via batch ssh when needed, logging out to a local file which is forwarded to aggregation like other system logs.
Keen to hear experience &amp; thoughts.

&gt; We’re looking at a 50-80k node fleet (mostly Linux, some Mac, mostly in one region but overall globally distributed)
We know of users that are using fleet with 100k+ devices.
And (last I checked) we generally load test each release of fleet with ~100k devices.

&gt;  My current thinking for alternative is to tely mostly on scheduled queries for most of what we’re after
Fleet support scheduled queries (and grouping them by packs).
<https://fleetdm.com/docs/using-fleet/faq#scheduled-queries>

&gt;  running osquery queries direct via batch ssh when needed
No need for ssh. Fleet has support for what we call "live queries", basically allows you to write a query and execute it on all (or a subset) of the online hosts.

I've just got this from our infrastructure team: <https://fleetdm.com/docs/deploying/load-testing>

Thanks <@U02J4JCKDL2>
My ‘alternatives’ were ideas for a non-fleet world - where we could perhaps utilise osquery without fleet.

The load testing &amp; reference architecture are helpful! Looking forward to going through it more once I can get it running.