Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

When using `distributed_plugin` eg with Fleet, I have observed that the query results do not log to the `logger_plugin` location, these are only within their own comms path. Is that correct? Any way to have the queries logged locally also?

No, the logger plugin only received scheduled query logs.

:thumbsup: Thought so <@U0JFM04MS>, thanks for confirming this.

:thinking_face: thinking about this a bit more, the scheduled queries defined in fleet would then log to the local logger?
It’s actually osquery config which is updated with these via config, which will require the `tls` config plugin? Where the live queries are the distributed plugin. That’s how I think it works. The scheduling isn’t done within fleet.

Which then means we’re handing over config to fleet, I wonder if there’s a way to honour filesystem config as preferred except for fleet’s scheduled queries in that case.

I wonder then if it’d work to have an empty ‘Global agent options’ in fleet plus enable the tls config_plugin in osq. Maybe this would not overwrite nor apply any config, but osq agents would run the fleet scheduled queries :thinking_face:

Anything that you set in the flagfile (which lives on the filesystem) that is not overwritten by configs you set inFleet would achieve "honour filesystem config as preferred". You can't set every kind of config via flagfile, but perhaps that covers what you are looking for?

&gt; the scheduled queries defined in fleet would then log to the local logger?
Yes, that's right. Which could be `filesystem` (filesystem on the local host), or `tls` (logging to Fleet, where it is typically forwarded on to some logging pipeline). It can actually be both if you want.

Note that config is either/or, you can't have both `filesystem` and `tls` for config plugin.