https://github.com/osquery/osquery logo
Join Slack
Powered by
Mucking around with some ideas. Does Fleet remove...
# fleet
d
Mucking around with some ideas. Does Fleet remove the redis messages for live queries from redis ( 
results_*
) once it gets them? Based on what I am seeing in the code, it looks like it is just a normal pub/sub setup, but just wanted to check.
z
Yes, as it's using the pub/sub features of Redis the message is gone after the subscribers have received it.
d
hmmmm. When I have another subscriber, Fleet is only picking up some of the results, not all.
z
You're saying you have another client using a redis 
SUBSCRIBE
command?
d
yes, I just verified it using a different client. 
redis-cli
PSUBSCRIBE *
Run default query against 3 systems (select * from osquery_info) - Get 1 result from each of the 3 systems in the redis-cli, but only get 2 results in the FleetUI. (3 hosts returning 2 results)
Stop redis cli and rerun default query over and over and I get all 3 expected results
Here is a screencapture of what I am seeing: https://www.screencast.com/t/B3HdKEBY5K8N
z
Yep, I see it.
d
I will submit an issue, as it appears it must be a bug of some kind
z
I think it's because Redis doesn't take writes to the pubsub channel until there's at least one listener. This is fine for typical usage since osqueryd will just wait until there's a listener. In your case it's probably that some results are being read by the redis shell listener and are not made available to the UI live query listener.
I would say this is more of using an internal API that is not intended to support the use case than a bug. Can we talk about what you are trying to achieve and see if there's a better way?
d
sure - short version: I am playing around with the idea of being able to make a copy of the live query results and send it to another system so that the user can run further analysis beyond what is currently available in the Live Query UI. (ie stacking, filtering, etc). I actually have it working quite well already (Logstash subs to the channel and pushes the results to ES, which is then accessible to another tool). I would still like the results of the Live Query to be accessible in the WebUI as it is currently - that is why I was going down the rabbit hole of trying to figure out what is going on.
When you say internal API, you are referring to Redis, not Fleet, correct?
z
When I say internal API I'm referring to the way Fleet uses Redis to push live query results around. Fleet never expected someone to "hook in" to that point.
d
Once again, here is a quick idea of what I am doing: https://www.screencast.com/t/FH8G5wTI
z
Fleet expects a listening subscriber to indicate that the web UI is listening essentially. So the confusion is that you've got something else listening.
Let me have a look at how tricky it would be to make that signal work differently.
d
Thanks Zach!
z
Okay, so a couple of things: 1. Is this something you are ready to ship? Trying to judge whether the change needs to make it in for the release tomorrow or if it can wait a few weeks. 2. We can probably make this work for your use case. This would still be working with an internal API, so no guarantees of stability. Does that work for you?
d
Nope, it can wait
no rush
Im good with #2 šŸ‘
z
Okay cool can you please file an issue so we can track this? I have some ideas.
šŸ‘ 1
n
Just casting in some extra feedback - I'd love to have live query stuff logged from fleet (and possibly some other visibility) if this is something you're actively looking into @zwass. Probably several requests: ā€¢ ability to log all results to wherever fleet is configured to send its logs ā€¢ saving live query results, even temporarily, and providing a way to view them from the UI ā€¢ ability for admins to view & possibly cancel currently-running live queries ā€¢ sorting / searching of live query results (#177)
šŸ‘ 1
m
@nyanshak re: request #3, wrote up some thoughts: https://github.com/fleetdm/fleet/issues/348
šŸ‘€ 1
upvote 1
d
4 Views
Open in Slack
PreviousNext
Powered by