I saw there is a --timeout flag in a fleetctl which is a nice feature. Is there anything similar in the WebUI. I've been running a simple query over 1389 hosts and under one minute 1386 of them returned results. Then the query runs forever I think (at least I have waited few mins before stopping this). What's the core of this problem. Could have this been mitigated in fleet or osquery ?

Are you concerned that this is causing a performance impact on Fleet and/or osquery clients? With the

--timeout

flag in

fleetctl

I figure that's useful because you might be running the query with a shell script or some other automation. I don't see the same use case in the UI. Just trying to understand your motivation here.

No, I am mostly concerned that my query never ends 🙂 And I even don't know why and which hosts fail

Yeah it is a little strange. Seems you've got 1 host that didn't respond. If a host responds with an error it will be counted as responded, so it seems this one host appears "online" to Fleet but is not actually responding to the query (or possibly there is some error in recording the response).

yeah, I need to make a diff between all hosts in fleet and those that are sending response. maybe I can find the one that has issues

Please let me know if you find anything.

I found the offending host, it doesn't seem to be getting the distributed query

--tls_dump

can usually help with such things

it receives 13 distributed queries

Does that host respond with results to those queries?

it executes those queries, but they have been done in the past

Do you see logs in

--tls_dump

indicating that the host actually makes the request with the results back to Fleet?

it should send to /write ?

Yes

no, I don't see that info

Have you identified whether osquery is sending the response to Fleet?

Yeah, I am not seeing osquery sending to /distributed/write

You probably have label and detail queries that Fleet is trying to run. Fleet decides whether to run those based on when the last results were written. If that host is not actually writing results then Fleet would send those queries each time. Your live queries should only be sent to the host while they are "running".

Hi @Wojtek did you end up finding the reasoning for a host appearing “online” in Fleet but not responding (hanging) to the live query? I think a similar issue was raised in this issue on GitHub.

Hi @Noah Talerman. I didn't have time to dig too much. The only thing I found out was that restarting osquery on the affected host helped. If I get more of these issues I will dig deeper and let You know.