Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Are there any hints as to where files that are carved, end up? Or is fleet not yet ready for this?

As from Fleet 3.6.0 carved files can be stored in AWS S3 buckets. Previously they were stored in Fleet's database. 

You can checkout this issue for more info on this.

<https://github.com/fleetdm/fleet/issues/111|https://github.com/fleetdm/fleet/issues/111>

Thanks; I found them in the mysql carve_blocks table. I hope the function(s) to operate on this data will appear. As for S3, that's great, but I couldn't readily see where the configuration for the buckets would be? (I would like to use my own <http://min.io|min.io> S3 store, for that matter.)

Use `fleetctl get carves` to get the data from MySQL

Hi, <@U02P85RLVDL>! You can check out the <https://fleetdm.com/docs/deploying/configuration#s-3-file-carving-backend|docs> for more information on setting up the carving backend.

By the way, that docs page has a typo at "allow​_missing​_migations" (headline under Upgrades)

<https://fleetdm.com/docs/deploying/configuration#upgrades>

Thanks <@U02P85RLVDL> for catching that. I just submitted a PR to fix that typo.

<https://github.com/fleetdm/fleet/pull/3405|https://github.com/fleetdm/fleet/pull/3405>