Title
#fleet
Dan Achin

Dan Achin

11/09/2020, 10:09 PM
Hi all. Does anyone know if clients will keep running their packs on whatever schedule they last got from Fleet, or if they only execute queries when they get a valid response from Fleet when they check in? Eventually we'll have an externally accessible Fleet endpoint for our corp laptops, but currently we are relying on VPN. I'm assuming that if a client can't check in, it's not going to run any queries because a failure to check-in to Fleet would also indicate that the client wouldn't be able to post the results to Fleet. Is this correct?
zwass

zwass

11/09/2020, 10:11 PM
The client will continue running the same config and buffering the results until it can get them successfully to Fleet.
Dan Achin

Dan Achin

11/09/2020, 10:13 PM
OK, my assumption is wrong then! 🙂
10:14 PM
Cool, will they eventually stop or just run until they run our of disk space? I know that fleet will eventually MIA them...
zwass

zwass

11/09/2020, 10:25 PM
They will buffer logs until they reach
--buffered_log_max
number of logs then start dropping the oldest.
Dan Achin

Dan Achin

11/09/2020, 10:32 PM
Awesome
10:32 PM
thanks
10:33 PM
ya, we definitely don't set that currently
10:34 PM
we'll have to set a reasonable value. Is there a default?
10:35 PM
assuming bytes also...
sundsta

sundsta

11/09/2020, 10:36 PM
The default is 1million according to https://osquery.readthedocs.io/en/stable/installation/cli-flags/. And it is the number of logs, not bytes
Dan Achin

Dan Achin

11/09/2020, 10:38 PM
Great, thanks. I was just going to ask if the default was the number listed in the docs. I wasn't sure if it was safe to assume that having a value present (in the docs) meant it was default.
8:15 PM
@sundsta / @zwass - thanks again for your help, this is much appreciated. I just had one follow up - it looks like we are only using the tls logger plugin and not writing logs to the filesystem. I do see that the
--buffered_log_max
setting does applies to the tls logger plugin, though without local log files, I'm not sure where the client would buffer results that are only going to send via tls. can you help me understand how we set a buffer limit when just using tls logger?
zwass

zwass

11/10/2020, 8:26 PM
The tls logger buffers logs in RocksDB (the same store used for osquery evented tables) and then sends the logs on interval (
logger_tls_period
). They are only cleared when they are sent successfully or overflow the max.
Dan Achin

Dan Achin

11/10/2020, 8:56 PM
ok, great. so it is buffered to osquery.db
8:56 PM
so would the 1,000,000 be # of sst files?
8:57 PM
i do have a zero byte .log in there too
zwass

zwass

11/10/2020, 10:30 PM
It will be # of log lines (json objects)
Dan Achin

Dan Achin

11/10/2020, 10:43 PM
awesome, thanks