Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
r
robbie
02/13/2020, 6:39 PMHey there! Has anybody run into the osqueryd worker no longer sending results via TLS a few minutes after the watchdog blacklists one of them? I get a "scheduled query may have failed," then ~10 minutes later, osquery stops attempting to hit any endpoint except /distributed/read.
I think this is probably a problem with my osquery worker, not the tls plugin – but I figured I would start here.
z
zwass
02/13/2020, 7:25 PMIs it possible that every query is blacklisted? Can you run a live query and see what you get from the
osquery_scheduler
robbie
02/14/2020, 7:30 PM@zwass I believe only one query is blacklisted (I get one log line saying scheduled query may have failed, and I know why it's taking so long) but live queries are also hanging, which is unfortunate. I'm able to replicate locally though, so I'm going to try to see if I can look through rocksdb to find the set of blacklisted queries