Hello everyone! We have production and test Fleet servers. I recently found that there are some differences in the syntax of the result logs received from osquery through them, despite the same version (3.11) and visually identical configuration. Although I do not exclude that I am missing something. Logs from the production server contain fields with data from inside “columns” json object, while the logs from the test server contain fields with data inside the object “snapshot”. In both cases, queries are executed in the form of a snapshot, and in both logs there is an “action”: “snapshot” key-value. Could you please help me understand the reason for such discrepancies and eliminate it?

Hi Artem! Fleet just passes on the logs exactly as received so you might want to focus your debugging on the differences in the osquery configuration as well as potentially pack configurations. #general may have some additional ideas if you want to try cross-posting there. Please let us know what you learn :)