👋 Trying to debug an issue and I'm curious if anyone else has encountered it here — we have a group of linux endpoints that were enrolled in Fleet previously but are no longer visible in the UI or reachable via fleetcl . My theory is that this may be related to the "automatic host expiry" option enabled but the "last seen time" for one of the hosts is yesterday; our expiry window much larger than 24 hrs 😛 . How does Kolide determine "last seen time"?

Any time the host makes a request to Fleet the seen time is updated.

huh

These hosts are still in the DB?

I haven't hopped onto the DB instance yet, I was trying to reach the host via

fleetctl

and the fleet UI first.

Does the host show up in

fleetctl get hosts

?

We ingest Fleet server logs into BigQuery

So you saw a server log indicating that host made a request?

we have a log line that show the host was online yesterday and it's last_seen_time was also yesterday

Where did you see the

last_seen_time

if not in the UI or DB?

Sorry let my clarify. I didn't interface with the DB directly. We are ingesting the db data into GCP's BigQuery and I was able to see the last_seen_time and online status there.

Ah, I see. Would be interesting to know if the entry is in the DB. If so, there's no reason it should not be available through the UI/fleetctl.