Hi all Does anyone know if clients will keep running their p

Question

Hi all Does anyone know if clients will keep running their packs on whatever schedule they last got from Fleet or if they only execute queries when they get a valid response from Fleet when they check in Eventually we ll have an externally accessible Fleet endpoint for our corp laptops but currently we are relying on VPN I m assuming that if a client can t check in it s not going to run any queries because a failure to check in to Fleet would also indicate that the client wouldn t be able to post the results to Fleet Is this correct

zwass · Answer

The client will continue running the same config and buffering the results until it can get them successfully to Fleet

Dan Achin · Answer

OK my assumption is wrong then slightly smiling face

Dan Achin · Answer

Cool will they eventually stop or just run until they run our of disk space I know that fleet will eventually MIA them

zwass · Answer

They will buffer logs until they reach ` buffered log max` number of logs then start dropping the oldest

Dan Achin · Answer

Awesome

Dan Achin · Answer

thanks

Dan Achin · Answer

ya we definitely don t set that currently

Dan Achin · Answer

we ll have to set a reasonable value Is there a default

Dan Achin · Answer

assuming bytes also

sundsta · Answer

The default is 1million according to <https osquery readthedocs io en stable installation cli flags > And it is the number of logs not bytes

Dan Achin · Answer

Great thanks I was just going to ask if the default was the number listed in the docs I wasn t sure if it was safe to assume that having a value present in the docs meant it was default

Dan Achin · Answer

< sundsta> < zwass> thanks again for your help this is much appreciated I just had one follow up it looks like we are only using the tls logger plugin and not writing logs to the filesystem I do see that the ` buffered log max` setting does applies to the tls logger plugin though without local log files I m not sure where the client would buffer results that are only going to send via tls can you help me understand how we set a buffer limit when just using tls logger

zwass · Answer

The tls logger buffers logs in RocksDB the same store used for osquery evented tables and then sends the logs on interval `logger tls period` They are only cleared when they are sent successfully or overflow the max

Dan Achin · Answer

ok great so it is buffered to osquery db

Dan Achin · Answer

so would the 1 000 000 be of sst files

Dan Achin · Answer

i do have a zero byte log in there too

zwass · Answer

It will be of log lines json objects

Dan Achin · Answer

awesome thanks