Hello, everyone! For some time now we have been trying to solve our problem with falling queries to the denylist. Visually, it seems that the problem is not in the resources, because query falls after the service restart, and the resource thresholds are set very high (CPU=250, RAM=400). There are several threads above on this topic. One suggestion was to disable watchdog altogether and look at the behavior. But then a new problem arose, for some unknown reason, our Fleet (3.7.0) practically does not recognize that the watchdog is disabled on the client. There are some screenshots with the current user config, the fact of restarting the osqueryd service after updating the config and the result of the query after that from the Fleet, which confuses me. At the same time, if you make a local query to osquery_flags or osquery_info through osqueryi, then it says that the watchdog is disabled correctly. Has anyone encountered similar behavior? If yes, please help! We tried to reinitialize the Fleet databases, but it didn’t help. Osquery on clients are the most relevant, selectively tried to re-install, but it did not help either.

What do you mean by "recognize that watchdog is disabled on the client"? Fleet has no control over the watchdog as it is controlled by startup flags in your flagfile. You can configure Fleet to send the config

disable_watchdog=true

but it's not going to have an effect (though it may show the value Fleet sent when you query

osquery_flags

).

Hello @zwass! Thank you for answer! Could you please explain more about different flags for osqueryi and osqueryd? This is something new for me. If we talk aboud recognizing watchdog disabling status, I meant that by setting the

--disable_watchdog

option in the osquery.flags as shown in the screenshot and running the osqueryd with this flagfile, I expected this flag to be correctly recognized when executing the

SELECT * FROM osquery_flags where name='disable_watchdog'

query from Fleet. Perhaps I do not fully understand what I am doing wrong, I ask you to explain please, but it seems to me that my actions are quite logical. I do not set any options for the watchdog separately via Fleet, all non-default values ​​are indicated only in osquery.flags file. Therefore, I expected that I would get the same values ​​for this parameter in osqueryd and osqueryi. Thank you!

I don't know what is going on in your local environment. When I add

--disable_watchdog

to my flagfile I get the expected value of

true

when I live query the flag. My best guess is you are not running the flagfile you think you are, or you are setting the flag some other way.