https://github.com/osquery/osquery logo
Powered by
#fleet
Title
m

Mystery Incorporated

08/01/2021, 11:16 AM
When it says last fetched for each osqueryd agent, is that the value of osquery_detail_update_interval ? I notice that osquery_detail_update_interval is defaulted to 1hr, when I set it to 
osquery_detail_update_interval: 25m
the refetch rate doesn't seem to change is that expected or not? it's not clear.
z

zwass

08/01/2021, 8:05 PM
Last fetched is based on when the queries were actually last run. The update interval is how often they should run.
m

Mystery Incorporated

08/02/2021, 3:25 AM
@zwass do you mean on demand queries? So I shouldn't see a refetch unless I run an on demand query is that right?
z

zwass

08/02/2021, 3:17 PM
No. The host "vitals" are retrieved via the same mechanism that live queries use, but they are initiated automatically by the Fleet server any time the vitals are older than the configured interval.
m

Mystery Incorporated

08/06/2021, 4:26 AM
@zwass hmm ok what is the setting for the interval might I ask? Because my live query interval is 90 seconds and I have hosts not being refreshed for at least an hour, and my config_refresh interval is 25 minutes
Copy code
logger_plugin: tls
        config_refresh: 90
        pack_delimiter: /
        logger_tls_period: 5
        distributed_plugin: tls
        disable_distributed: false
        logger_tls_endpoint: /api/v1/osquery/log
        distributed_interval: 95
        distributed_tls_max_attempts: 5
        osquery_detail_update_interval: 25m
^ This is my current config and I am seeing hosts saying last checked in an hour ago
@zwass I would have thought osquery_detail_update_interval was the one with which osquery would check in with refetched details?
z

zwass

08/06/2021, 3:18 PM
distributed_interval
is a flag on osquery. It's how often osquery will make a distributed query request to Fleet. 
osquery_detail_update_interval
is a flag on Fleet. It's how often Fleet will respond to a distributed query request with the detail queries. Does this help clear things up?
m

Mystery Incorporated

08/07/2021, 6:52 AM
@zwass actually I think I understand what you mean, osquery_detail_update_interval tells osqueryd on the next distributed query checkin to reply with the details? That is what you mean right? Yes I see I found it on the old kolide doco with google https://github.com/kolide/fleet/blob/master/docs/infrastructure/configuring-the-fleet-binary.md
What does --osquery_label_update_interval do??? What is a label query I never even heard of such a thing?
Ok yes I see that it is refetching in ~25m intervals now
Still don't know what a label query is lol
z

zwass

08/08/2021, 7:34 PM
m

Mystery Incorporated

08/09/2021, 1:15 AM
Heh yea just seems unfortunate that Google takes the old doco as canonical and doesn't seem to update paths with the new doco. I guess I could and should search the repo directly. But I still don't know what a label query is :/
Ah I see now, I was completely missing the label button in Fleet UI. I see, it groups hosts into a label using a query result. Got it.
Powered by