Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
l
Lucas Santos
07/06/2022, 1:22 PMHi there!
I have a question about running differential queries in osquery and fleetdm. For example, when this type of query is run on a machine, where are the results saved for comparison? On the Osquery's or Fleetdm's side? I'm having a problem with a large amount of network consumption traffic (outbound and inbound) from fleetdm. Since I have a considerable amount of "Differential" queries, I think that the fleetdm could send the information back to the clients to get the differential value, and the clients send that information back. I found that my Fleetdm server is receiving 100GB of traffic data from agents, but only 20GB is logged in results.log and less in status.log.
Thanks in advance,
d
D4veB3st
07/06/2022, 1:25 PMis that a daily or monthly ingestion?
l
Lucas Santos
07/06/2022, 1:26 PMDaily ingestion
k
Kathy Satterlee
07/06/2022, 2:45 PMHow many hosts do you have enrolled and roughly how many queries are you running on a daily basis?
l
Lucas Santos
07/06/2022, 4:50 PMThere were 17 queries, every query had diffent times of execution, most executed every 5 min
In total there is 9500 hosts
z
zwass
07/06/2022, 5:51 PMDifferential queries are "diffed" on the local machine. Osquery stores the results in RocksDB and generates a diff before sending the logs.
:ty: 2