Hey there! Has anybody run into the osqueryd worker no longer sending results via TLS a few minutes after the watchdog blacklists one of them? I get a "scheduled query may have failed," then ~10 minutes later, osquery stops attempting to hit any endpoint except /distributed/read. I think this is probably a problem with my osquery worker, not the tls plugin – but I figured I would start here.

Is it possible that every query is blacklisted? Can you run a live query and see what you get from the

osquery_schedule

table?

@zwass I believe only one query is blacklisted (I get one log line saying scheduled query may have failed, and I know why it's taking so long) but live queries are also hanging, which is unfortunate. I'm able to replicate locally though, so I'm going to try to see if I can look through rocksdb to find the set of blacklisted queries