Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Hello, may I ask if I deleted the pack pack on fleet UI, but the log of pack pack query will still be generated? What's the situation?

Hi demonbhao. Do you mind walking me through the steps you took from deleting the pack within the Fleet UI to viewing the generated log output?

2.png

1.png

Ok, on my side, I first logged on to the Fleet UI to pause the pack query, and then I went back to the Fleet server and found that the logs were still sent (Figure 1).Later I deleted the Pack query directly, but the Fleet server still sent the query log.Figure 2 shows the Pack shown on the Fleet UI

Can someone help me please?This problem has been bothering me for a long time and now the log data is contaminated

Sorry for the delayed response. I’m brining up this question with the Fleet team

<@U018R0ANJFN> are the logs from the deleted pack still being sent? Sometimes, users encounter a lag after deleted a pack because osquery hasn’t reloaded the configuration (so it knows which queries to run). This lag would result in the logs from deleted packs still being sent before the configuration is reloaded.

Hello, the log is still being sent. It has been going on for several days

79.png

78.png

Even when I updated Fleet to the latest version 3.5.1, logs continued to be generated in ELK.I don't have this query package in the red flag

Are the two enabled query packs (`General indicators` and `ossec_rootkit`) also generating logs in kibana?

I wonder if the machines generating the `listening_external_port_V1` logs have had their osquery configuration changed since you deleted this query pack. Meaning they know that the only query packs they should be running are the two in your second screenshot.

I’m going to attempt to recreate your issue later today.

80.png

My God, I came to check Elk's log today and found that the deleted pack package is finally not querying
I really appreciate your help

Great! The issue seems like an odd one to me. Glad it’s resolved. Do you mind adding your last message in <https://github.com/fleetdm/fleet/issues/176|the GitHub issue> and closing that issue?