Hello why is it that my online query on Fleet UI is not the osquery #fleet

Hello, why is it that my online query on Fleet UI ...

demonbhao

02/04/2021, 2:09 AM

Hello, why is it that my online query on Fleet UI is not the same as my differential query?I ran a query on Fleet UI every half an hour and found no change, while using a differential query generated logs every half an hour

zwass

02/04/2021, 2:19 AM

Is it definitely a differential query? If you are getting the same log every time the query runs maybe it is set for

snapshot: true

demonbhao

02/04/2021, 2:22 AM

Hello, I set the difference query

demonbhao

02/04/2021, 2:23 AM

All the query statements are differential queries, because I want to use osquery for intrusion detection.So it is every half an hour to check the host for abnormal processes and ports and so on

zwass

02/04/2021, 2:25 AM

This is the

General indicators

pack we are looking at?

demonbhao

02/04/2021, 3:53 AM

Yes, that's the overall metric we're looking at

zwass

02/04/2021, 5:11 PM

Can you run

--verbose --tls_dump

on the host and double-check that Fleet is not sending

"snapshot": true

for that query?

demonbhao

02/05/2021, 3:30 AM

OK, I will save the result and reply to you

demonbhao

02/05/2021, 12:09 PM

Hello, this is my result

2 Views

Open in Slack

Previous Next