I know that osqueryd and osqueryi do not interact with one a

Question

I know that osqueryd and osqueryi do not interact with one another like watchdog can t kill osqueryi if it s running a performance heavy query However do the two share the RocksDB embedded database I ask because we have `select from osquery schedule ` as a scheduled query and can see the results being returned in elasticsearch but if we try to do that query in `osqueryi` the fields are zeroed out

zwass · Answer

They do not share the RocksDB database Only one process may have RocksDB open at one time

zwass · Answer

Sometimes it can be useful to stop osqueryd and connect osqueryi to the database Then you can select against the event based tables and see what is in there

Antoinette · Answer

I figured this might be the case We have events disabled but does osquery not store the metrics for `osquery schedule` in the database

Antoinette · Answer

^ We connected osqueryi to the osqueryd database and still empty table it isn t urgent but definitely making us scratch our heads a little

zwass · Answer

When you start osqueryi there will be no schedule I m not sure there s a good way to look at the `osquery schedule` table besides as a scheduled query or a live query against a running osqueryd

Antoinette · Answer

Yeah I understand what it s doing now after Seph said it s keeping the metrics in memory and then I went through and read some of the code in the repo Makes sense Thank you