https://github.com/osquery/osquery logo
Powered by
Title
i

Ian Muscat

05/26/2021, 9:57 AM
Hi there, I’ve noticed that when running queries on the 
file_events
table where there are a considerable amount of file events (600+ events) live queries via Fleet keep processing and never return results. Running the same query from inside of 
osqueryi
on the host, returns results immediately. Are there any known issues/limitations around this, or would it make sense to try and reproduce this behavior further/more consistently? Thanks!
n

Noah Talerman

05/26/2021, 1:32 PM
Hi @Ian Muscat does the same “never return results” behavior also occur when running the query via 
fleetctl
? In addition, do you mind filing an issue on GitHub with reproduction steps here? https://github.com/fleetdm/fleet/issues/new/choose
i

Ian Muscat

05/26/2021, 1:34 PM
does the same “never return results” behavior also occur when running the query via 
fleetctl
Hmm that’s a good point, I have not tested that out. I’ll try and replicate this (this was observed on a production server, so I was limited in what I could test). Tuning the FIM config to monitor less files solved the issue though.
👍 1
Minor update on this. I’ve come across this a few more times. It only seems to happen for live queries. @Noah Talerman I’ve tried your suggestion of using 
fleetctl
not just the UI — I get the same behaviour, I don’t think it is exclusively a UI issue. I’ve replicated the behaviour on tables other than 
file_events
(I’ve been experiencing this behaviour on pretty much any table). Re-running the same query after a few minutes seems to “fix” the issue, but what is interesting is that there seems to be a spike in Fleet’s CPU usage whenever this “waiting” condition occurs (see attached image). I don’t see much in terms of Fleet logs. Not sure if it’s worth opening an issue with this information or if it’s worth collecting some more info/reproducing this issue more consistently (at the moment, I can’t reproduce this issue at will)?
n

Noah Talerman

06/01/2021, 3:37 PM
Your insights are super helpful. There seems to be evidence of similar (the same?) issues here in this Slack thread and here in this existing GitHub issue. Can you please add the information you’ve provided to the existing GitHub issue if you think it’s appropriate. If you believe the issues are different, please file a new GitHub issue.
🙏 1
#fleetJoin Slack
Powered by