Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
m
Mystery Incorporated
08/01/2021, 11:16 AMWhen it says last fetched for each osqueryd agent, is that the value of osquery_detail_update_interval ?
I notice that osquery_detail_update_interval is defaulted to 1hr, when I set it to
osquery_detail_update_interval: 25mz
zwass
08/01/2021, 8:05 PMLast fetched is based on when the queries were actually last run. The update interval is how often they should run.
m
Mystery Incorporated
08/02/2021, 3:25 AM@zwass do you mean on demand queries? So I shouldn't see a refetch unless I run an on demand query is that right?
z
zwass
08/02/2021, 3:17 PMNo. The host "vitals" are retrieved via the same mechanism that live queries use, but they are initiated automatically by the Fleet server any time the vitals are older than the configured interval.
m
Mystery Incorporated
08/06/2021, 4:26 AM@zwass hmm ok what is the setting for the interval might I ask? Because my live query interval is 90 seconds and I have hosts not being refreshed for at least an hour, and my config_refresh interval is 25 minutes
logger_plugin: tls
config_refresh: 90
pack_delimiter: /
logger_tls_period: 5
distributed_plugin: tls
disable_distributed: false
logger_tls_endpoint: /api/v1/osquery/log
distributed_interval: 95
distributed_tls_max_attempts: 5
osquery_detail_update_interval: 25m^ This is my current config and I am seeing hosts saying last checked in an hour ago
@zwass I would have thought osquery_detail_update_interval was the one with which osquery would check in with refetched details?
z
zwass
08/06/2021, 3:18 PMdistributed_intervalosquery_detail_update_intervalm
Mystery Incorporated
08/07/2021, 6:52 AM@zwass actually I think I understand what you mean, osquery_detail_update_interval tells osqueryd on the next distributed query checkin to reply with the details? That is what you mean right?
Yes I see I found it on the old kolide doco with google https://github.com/kolide/fleet/blob/master/docs/infrastructure/configuring-the-fleet-binary.md
What does --osquery_label_update_interval do??? What is a label query I never even heard of such a thing?
Ok yes I see that it is refetching in ~25m intervals now
Still don't know what a label query is lol
z
zwass
08/08/2021, 7:34 PMm
Mystery Incorporated
08/09/2021, 1:15 AMHeh yea just seems unfortunate that Google takes the old doco as canonical and doesn't seem to update paths with the new doco. I guess I could and should search the repo directly. But I still don't know what a label query is :/
Ah I see now, I was completely missing the label button in Fleet UI. I see, it groups hosts into a label using a query result. Got it.