I have a couples of questions regarding fleet. Any help is appreciated.
Is Restful HTTP API in fleet is with polling OR websockets?
How does the UI make an “on-demand” QUERY to the client OSQuery nodes - how long does the request take to be sent to the node? Can you send 1 query to 1000s or millions of nodes or is it 1-1 everytime?
08/03/2021, 6:56 AM
A dev could answer for sure, but given that we specify a query collection interval, I believe that every "x" seconds osqueryd will connect to and poll for any live query jobs. It does same thing with configuration to check for config updates.
The UI doesn't reach out to osquery nodes, the nodes "check in" at the interval you specify in the global options.
Can you send 1 query to 1000s or millions of nodes or is it 1-1 everytime?
Yep, if you have 1000s or millions of nodes checking in to fleet, they will check in and look for queries assigned to them to process.
So for e.g. if you set your live query time to 90 seconds, every 90 seconds osqueryd will connect to fleet and see if it has any queries to execute.
08/03/2021, 10:05 AM
Thank you so much @Mystery Incorporated
@Mystery Incorporated what I am looking is where osquery allows “on-demand queries” from the Fleet DM UI. This is possible if osquery implements websockets instead of HTTP polling. Any way to implement this?
08/04/2021, 8:00 AM
@Yash Boura if you write the code it is possible I guess.